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$_( \ Abstract. The implementation of reUable and efficient geometric algo- 

, Cy , rithms is a challenging task. The reason is the following conflict: On 

the one hand, computing with rounded arithmetic may question the re- 
liability of programs while, on the other hand, computing with exact 
CTS ■ arithmetic may be too expensive and hence inefficient. One solution is 

the implementation of controlled perturbation algorithms which combine 
the speed of floating-point arithmetic with a protection mechanism that 
guarantees reliability, nonetheless. 

This paper is concerned with the performance analysis of controlled per- 
turbation algorithms in theory. We answer this question with the pre- 
t/3 ' sentation of a general analysts tool box for controlled perturbation algo- 

^, , rithms. This tool box is separated into independent components which 

are presented individually with their interfaces. This way, the tool box 
supports alternative approaches for the derivation of the most crucial 
^ , bounds. We present three approaches for this task. Furthermore, we have 

^^ ' thoroughly reworked the concept of controlled perturbation in order to 

>0 I include rational function based predicates into the theory; polynomial 

\l . based predicates are included anyway. Even more we introduce object- 

preserving perturbations. Moreover, the tool box is designed such that it 
fT^ , reflects the actual behavior of the controlled perturbation algorithm at 

^^ ■ hand without any simplifying assumptions. 
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j^ ! 1 Introduction 



1.1 Robust Geometric Computing 

It is a notoriously difficult task to cope with rounding errors in computing [22113] . 
In computational geometry, predicates are decided on the sign of mathematical 
expressions. If rounding errors cause a wrong decision of the predicate, geometric 
algorithms may fail in various ways: inconsistency of the data (e.g., contradictory 
topology) , loops that do not terminate or loops that terminate unexpectedly |38| . 
In addition, the thoughtful processing of degenerate cases makes the implemen- 
tation of geometric algorithms laborious [4] . The meaning of degeneracy always 
depends on the context (e.g., three points on a line, four points on a circle). 
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There are several ways to overcome the numerical robustness issues and to deal 
with degenerate inputs. 

The exact computation paradigm ^36'37'43'2 3|58|44] suggests an implemen- 
tation of an exact arithmetic. This is established by a number representation of 
variable precision (i.e., variable bit length) or the use of symbolic values which are 
not evaluated (e.g., roots of integers). There are several implementations of such 
number types |10I42I49I48I44| . Each program must be developed carefully such 
that it can deal with all possible degenerate cases. The software libraries Leda 
and Cgal follow the exact computation paradigm |44|39|18] . The paradigm was 
also taken as a basis in |3I53I27] . 

As opposed to that, the topology oriented approach [54I34|55] is based on 
an arithmetic of finite precision. To avoid numerical robustness issues, the main 
guideline is the maintenance of the topology. This objective requires individual 
alterations of the algorithm at hand and it seems that it cannot be turned into an 
easy-to-use general framework. Furthermore, this approach must also cope with 
degenerate inputs. However, the speed of floating-point arithmetic may be worth 
the trouble; in addition with other accelerations. Held |31| has implemented a 
very fast computation of the Voronoi diagram of line segments. 

There are also problem- oriented solutions. In computational geometry, the 
sign of determinants decides an interesting class of predicates. For example, the 
side-of-line or the in-circle predicate in the plane belong to this class and are 
used in the computation of Delaunay diagrams. Some publications attack the 
numerical issues in the evaluation of determinants directly |2|5) . 

The previous approaches have in common that they primarily focus on the 
numerical issues. Other approaches are originated from the degeneracy issue. 
A slight perturbation of the input seems to solve this problem. There are dif- 
ferent approaches which are based on perturbation. The symbolic perturbation, 
see for example |14|57|56|15|16|52|47j . provides a general way to distort inputs 
such that degeneracies do not occur. This definitely provides a shorter route for 
the presentation of geometric algorithms. Practically this approach requires ex- 
act arithmetic to avoid robustness issues. Therefore the pitfall in this approach 
is that, if the concept requires very small perturbations, it implicates a high 
precision and possibly a slow implementation. 

In this paper we focus on controlled perturbation. This variant was intro- 
duced by Halperin et al. [30] for the computation of spherical arrangements. 
There a perturbed input is a random point in the neighborhood of the initial 
input. It is unlikely, but not impossible, that the input is degenerate. Therefore 
the algorithm has a repeating perturbation process with two objectives: Find- 
ing an input that does not contain degeneracies and that leads to numerically 
robust floating-point evaluations. Halperin et al. have presented mechanisms to 
respond to inappropriate perturbations. Moreover, they have argued formally 
under which conditions there is a chance for a successful termination of their 
algorithm. Controlled perturbation leads to numerically robust implementations 
of algorithms which use non-exact arithmetic and which do not need to process 
degenerate cases. 
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This idea of controlled perturbation was applied to further geometric prob- 
lems afterwards: The arrangement of polyhedral surfaces [29], the arrangement 
of circles [28] , Voronoi diagrams and Delaunay triangulations [40|25j . However, 
the presentation of each specific algorithm has required a specific analysis of its 
performance. This broaches the subject of a general method to analyze controlled 
perturbation algorithms. 

We remark that controlled perturbation has also a shady side: Although it 
solves the problem for the perturbed input exactly, it does not solve it for the 
initial input. Furthermore, it is non-obvious how to receive a solution for the 
initial input in general. In case the input is highly degenerated, the running 
time of the algorithm may increase significantly after the permutation [811] . In 
this case, the specialized treatment of degeneracies may be much faster. 

1.2 Our contribution 

The study of a general method to analyze controlled perturbation algorithms is a 
joint work with Kurt Mehlhorn and Michael Sagraloff. We have firstly presented 
the idea in f45] . Then Caroli [9 studied the applicability of the method for pred- 
icates which are used for the computation of arrangements of circles (according 
to [28]) and the computation of Voronoi diagrams of line segments (according 
to |6|51) ). Our significantly improved journal article contains, furthermore, a 
detailed discussion of the analysis of multivariate polynomials 2Q . 

Independent of former publications, the author has redeveloped the topic 
from scratch to design a sophisticated tool box for the analysis of controlled per- 
turbation algorithms. The tool box is valid for floating-point arithmetic, guides 
step by step through the analysis and allows alternative components. Further- 
more, the solutions of two open problems are integrated into the theory. We 
briefly present our achievements below. 

We present a general tool box to analyze algorithms and their predicates. 
The tool box is subdivided into independent components and their interfaces. 
Step-by-step instructions for the analysis are associated with each component. 
Interfaces represent bounds that are used in the analysis. The result is a precision 
function or a probability function. Furthermore, necessary conditions for the 
analysis are derived from the interfaces (e.g., the notion of criticality differs 
from former publications). 

We present alternative approaches to derive necessary bounds. Because we 
have subdivided the tool box into independent components and their interfaces, 
it is possible to make alternative components available in the most crucial step 
of the analysis. The direct approach is based on the geometric meaning of pred- 
icates, the bottom-up approach is based on the composition of functions, and 
the top-down approach is a coordinate-wise analysis of functions. Similar direct 
and top-down approaches are presented in [45I46J . This is the first time that a 
bottom-up approach is presented for this task. 

The result of the analysis is valid for floating-point arithmetic. A random 
floating-point number generator that guarantees a uniform distribution was in- 
troduced in [46]. But, so far, the result of the analysis was never proven to be 
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valid for the finite set of floating-point numbers since the Lebesgue measure 
cannot take sets of measure zero into account. To overcome this issue, we define 
a specialized perturbation generator and pay attention to the finiteness in the 
analysis, namely, in the success probability, in the (non-) exclusion of points and 
in the usage of the Lebesgue measure. 

We present an alternative analysis of multivariate polynomials. An analysis of 
multivariate polynomials, which resembles the top-down approach, is presented 
in [46j . Here we present an alternative analysis which makes use of the bottom- up 
approach. 

We solve the open problem of analyzing rational functions. We include poles 
of rational functions into the theory and describe the treatment of floating-point 
range errors in the analysis. We suggest a general way to guard rational functions 
in practice and we show how to analyze the behavior of these guards in theory. 

We solve the open problem of object-preserving perturbations. We introduce 
a perturbation generator that makes it possible to perturb the location of input 
objects without deforming the objects itself. To achieve this goal, we have de- 
signed the perturbation such that the relative floating-point input specifications 
of the objects are preserved despite of the usage of rounded arithmetic. 

We suggest an implementation that is in accordance with the analysis tool box. 
We define a fixed-precision perturbation generator and extend it to be object- 
preserving. We explain the particularities in the practical treatment of range 
errors that occur especially in the case of rational functions. Finally, we show 
how to realize guards for rational functions. 

1.3 Content 

In this paper we present a tool box for a general analysis of controlled perturba- 
tion algorithms. In Section[51 we present the basic design principles of controlled 
perturbation from a practical point of view. Fundamental quantities and def- 
initions of the analysis are introduced in Section [3l The general analysis tool 
box and all of its components are briefly introduced in Section |4l Its detailed 
presentation is structured in two parts: The function analysis and the algorithm 
analysis. 

Geometric algorithms base their decisions on geometric predicates which are 
decided by signs of real- valued functions. Therefore the analysis of algorithms 
requires a general analysis of such functions. The function analysis is visualized 
in Figure [7] on Page [23l Since the analysis is performed with real arithmetic, we 
must also prove its validation for actual floating-point inputs. This validation 
is anchored in Section [5j The function analysis itself works in two stages. The 
required bounds form the interface between the stages and are presented in 
Section [6] The method of quantified relations represents the actual analysis in 
the second stage and is introduced in Section [71 The derivation of the bounds in 
the first stage uses the direct approach of Section [SJ the bottom-up approach of 
Section[SJ or the top-down approach of Section llOi together with an error analysis 
which is introduced in Section [TTl In Section [12] we extend the analysis and the 
implementation such that both properly deal with floating-point range errors. 
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As examples, we present the analysis of multivariate polynomials in Section [9] 
and the analysis of rational functions in Section 1131 

The algorithm analysis is visualized in Figure [25] on Page [75] The algorithm 
analysis works also in two stages. In the first stage, we perform the function 
analyses and derive some algorithm specific bounds. The analysis itself in the 
second stage is represented by the method of distributed probability. The algo- 
rithm analysis is entirely presented in Section [14] 

Furthermore, we present a general way to implement controlled perturbation 
algorithms in Section [15] such that our analysis tool box can be applied to them. 
Even more, we suggest a way to implement object-preserving perturbations in 
Section [16] 

A quick reference to the most important definitions of this paper can be 
found in the appendix in Section [17] 

2 Controlled Perturbation Algorithms 

This section contains an introduction to the basic principles for controlled per- 
turbation algorithms. We have already mentioned that implementations of ge- 
ometric algorithms must address degeneracy issues and numerical robustness 
issues. We review floating-point arithmetic in Section 12.11 and present the basic 
design principles of controlled perturbation algorithms in Section 12.21 

2.1 Floating-point Arithmetic 

Variable precision arithmetic is necessary for a general implementation of con- 
trolled perturbation algorithms. We explain this statement with the following 
thought experimenl]^ that can be skipped during first reading: Assume we com- 
pute an arrangement of n circles incrementally with a fixed precision arithmetic. 
Let us further assume that there is an upper bound on the radius of the circles. 
Then, because of the fixed precision, the number of distinguishable intersections 
per circle must be limited. Hence the computation of a dense arrangement gets 
stuck after a certain amount of insertions unless we allow circles to be moved 
(perturbed) further away from their initial location. Asymptotically, this policy 
transforms a very dense arrangement into an arrangement of almost uniformly 
distributed circles. Therefore we demand that the precision of the arithmetic can 
be chosen arbitrarily large. 

A floating-point number is given by a sign, a mantissa, a radix and a signed 
exponent. In the regular case, its value is defined as 

value := sign • mantissa • radix°'^''°"°'^ . 

Without loss of generality, we assume the radix to be 2. The bit length of the 
mantissa is called precision L. We denote the bit length of the exponent by K. 



^ This consideration is absolutely conform to Halperin et al. ^B]: If the augmented 
perturbation parameter S exceeds a given threshold A, the precision is augmented 
and S is reset. 
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The discrete set of regular floating-point numbers is a subset of the rational 
numbers. Furthermore, this set is finite for fixed L and K. 

A floating-point arithmetic defines the number representation (the radix, L 
and K), the operations, the rounding policy and the exception handling for 
floating-point numbers (see Goldberg [26]). A technical standard for fixed preci- 
sion fioating-point arithmetic is IEEE 754-2008 (see [53]). Nowadays, the built-in 
types single, double and quadruple precision are usual for radix 2. 

There are several software libraries that offer variahli^ precision floating- 
point arithmetic. Cgal provides the multi-precision floating-point number type 
MP_Float (see the Cgal manual [10'). Core provides the variable precision 
floating-point number type CORE: :BigFloat (see [42]). And Leda provides the 
variable precision fioating-point number type leda_bigf loat (see the Leda 
book [44]). Be aware that the rounding policy and exception handling of cer- 
tain libraries may differ from the IEEE standard. Since our analysis partially 
presumefjij this standard, we must ensure that the arithmetic in use is appropri- 
ate. The Gnu Multiple Precision Floating-Point Reliable Library, for example, 
"provides the four rounding modes from the IEEE 754-1985 standard, plus away- 
from-zero, as well as for basic operations as for other mathematical functions" 
(see the Gnu Mpfr manual '^O'). Moreover, Gnu Mpfr is used for the mul- 
tiple precision interval arithmetic which is provided by the Multiple Precision 
Floating-point Interval library (see the Gnu Mpfi manual |48) ) . 

Variable precision arithmetic is more expensive than built-in fixed precision 
arithmetic. We remark that, in practice, we try to solve the problem at hand 
with built-in arithmetic first and, in addition, try to make use of fioating-point 
filters. Throughout the paper we use the following notations. 

Definition 1 (floating-point). Let L,K eN. By ¥l^k we denote: 

1. The set of floating-point numbers with radix 2, precision L and K-bit 
exponent. 

2. The floating-point arithmetic that is induced by the set characterized in 1. 

Furthermore, we define the suffix |f for sets and expressions: 

1. Let ken and let X (ZMJ" . Then X\r := X r\W^ . 

2. /(a;)|F denotes the floating-point value of f{x) evaluated with arithmetic F. 

That means, by X\f we denote the restriction of X to its subset that can be 
represented with floating-point numbers in F. To simplify the notation we omit 
the indices L oi K oiV^^K whenever they are given by the context. For the same 
reason we have already skipped the dimension k in the suffix \f. 



^ With variable we subsume all types of arithmetic that support arbitrarily large pre- 
cisions. Some are called variable precision, multiple precision or arbitrary precision. 
^ A standardized behavior of floating-point operations is presumed in Section 1111 
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2.2 Basic Controlled Perturbation Implementations 

Rounding errors of floating-point arithmetic may influence the result of predicate 
evaluations. Wrong predicate evaluations may cause erroneous results of the 
algorithm and even lead to non- robust implementations (see Kettner et al. |38|). 
In order to get correct and robust implementations, we introduce guards which 
testify the reliability of predicate evaluations (see |24l7l46p . 

Definition 2 (guard). Let ¥ be a floating-point arithmetic and let f : X ^ M. 
be a function with X C M'^. We call a predicate Qf : X ^ {true, false} a guard 
for f on X if 

Gfix) is true => sign(/(a;)|F) = sign(/(a:)) 

for all X € X\¥. Presumed that there is such a predicate Qf, we say that an input 
X € X\w is guarded if Qf(x) is true and unguarded if Q fix) is false. 

That means, guards testify the sign of function evaluations. A design of guards 
is presented in Section [11] By means of guards we can implement geometric 
algorithms such that they can either verify or disprove their result. 

Definition 3 (guarded algorithm). We call an algorithm Aq a guarded al- 
gorithm if there is a guard for each predicate evaluation and if the algorithm 
halts either with the correct combinatorial result or with the information that 
a guard has failed. If Aq halts with the correct result, we also say that Aq is 
successful, and we say that Ag has failed if a guard has failed. 

Let y be an input of Aq. In case Aciy) is successful, we obtain the desired 
result for input y. Of course, the situation is unsatisfying if Ag fails. Therefore 
we introduce controlled perturbation (see Halperin et al. [25]): We execute Ac 
for randomly perturbed inputs y (i.e., random points in the neighborhood of y) 
until Ag terminates successfully. Furthermore, we increase the precision L of the 
floating-point arithmetic F after each failure in the hope to improve the chance to 
succeed. (It is the task of the analysis to give evidence.) We summarize this idea 
in the provisional controlled perturbation algorithm basic-^cp which is shown 
in Algorithm [T] The general controlled perturbation algorithm is presented on 
page [81] in Section [Ml 

We see that there is an implementation of basic-y^cp (-^G ) for every guarded 
algorithm ^Gj or to say it in other words, for every algorithm that is only 
based on geometric predicates that can be guarded. It is important to note that 
this does not necessarily imply that basic-^cp performs well. It is the main 
objective of this paper to develop a general method to analyze the performance 
of controlled perturbation algorithms ^cp • 



3 Fundamental Quantities and Definitions 

Our main aim is the derivation of a general method to analyze controlled pertur- 
bation algorithms. In order to achieve this, we introduce fundamental quantities 
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Algorithm 1 : basic- Acp{AG,y,l^s) 



/* initialization */ 

L ■(— precision of built-in floating-point arithmetic 

repeat 

/* run guarded algorithm */ 
y •<— random point in Us{y'jfj^ 

/* adjust parameters */ 
if Ag failed then 

L<-2L 
end if 
until ^G succeeded 

/* return perturbed input y and result uj */ 
return {y,u)) 



first. In Section [3. II we define the quantities that describe the situation which we 
want to analyze. We encounter and discuss many issues during the definition of 
the success probabihty in Section [3.2l This is the first presentation of a detailed 
modelling of the floating-point success probability. Controlled perturbation spe- 
cific quantities are introduced in Section 13.31 (Further analysis specific bounds 
are defined in the presentation of the analysis later on.) The overview in Sec- 
tion 13.41 summarizes the classification of inputs in practice and in the analysis. 
In Section 13.51 we present conditions under which we may apply controlled per- 
turbation to a predicate in practice and under which we can actually justify its 
application in theory. 



3.1 Perturbation, Predicate, Function 

Here we define the quantities that are needed to describe the initial situation: the 
original input, the perturbation area, the perturbation parameter, the perturbed 
input, the input value bound, functions that realize geometric predicates, and 
predicate descriptions. 

In the analysis we assume that the original input y of a controUed-perturbation 
algorithm ^cp consists of n fioating-point numbers, that means, y G F" or, as 
we prefer to say, y S M"|f. At this point we do not care for a geometrical inter- 
pretation of the input of Acp ■ We remark that this is no restriction: a complex 
number can be represented by two numbers; a vector can be represented by the 
sequence of its components; geometric objects can be represented by their co- 
ordinates and measures; and so on. A circle in the plain, for example, can be 
represented by a 6-tuple (the coordinates of three distinct points in the circle) 
or a 3-tuple (the coordinates of the center and the radius). And, to carry the 
example on, an input of m circles can be interpreted as a tuple y G K"|f with 
n := 6m if we choose the first variant. 



General Analysis Tool Box for Controlled Perturbation 9 

We define the perturbation of y a,s a random additive distortion of its com- 
ponentso We call Us{y) C M" a perturbation area with perturbation parameter 

6 a 

1. 5eR5o, 

2. y G Us{y) implies \yi — j/i| < (5i for 1 < i < n and 

3. Us{y) contains an (open) neighborhood of y. 

Note that Us{y) is not a discrete set whereas Us{y)\w is finite. In our example, 
if we allow a circular perturbation of the 3m points which define the m input 
circles, the perturbation area is the Cartesian product of 3m planar discs. We 
make the observation that even if we consider the input as a plain sequence 
of numbers, the perturbation area may look very special — we cannot neglect 
the geometrical interpretation here! In this context, we define an axis-parallel 
perturbation area Us{y) as a box which is centered in y and has edge length 25i 
parallel to the i-th main axis (and always denote it by the latin letter U instead 
of U) . This definition significantly simplifies the shape of the perturbation area. 

Naturally, the perturbed input must also be a vector of floating-point num- 
bers. For now, we denote the perturbed input by y e lA{y)\f. (We remark that we 
refine this definition on page [T2)) . 

The analysis of Acp depends on the analysis of Aq and its predicates (see 
Section I14p . We remember that a geometric predicate, which is true or false, is 
decided by the sign of a real-valued function f . Therefore we introduce further 
quantities to describe such functions. We assume that / is a fc-ary real-valued 
function and that k -^ n. We further assume that we evaluate / at fc distinct 
perturbed input values, that means, we evaluate /(y(T(i)j • ■ • j 2/cr(fe)) where a : 
{l,...,k} — > {!,..., n} is injective. The mapping a is injective to guarantee 
that the variables in the formula of / are independent of each other. To not 
get the indices mixed up in the analysis, we rename the argument list of / into 
Xi := yaii) for 1 < i < fc. In the same way we also rename the affected input 
values Xi := ya{i) ■ We denote the set of valid arguments for f by A. 

In the analysis, emax implicitly describes an upper-bound on the absolute 
value of perturbed input values in the way 

emax := min |e' G N : \y^\ + 6i < 2"' for all 1 < i < n| . (1) 

We call e,nax the input value parameter. Be aware that this is just a bound on 
the arguments of / and not a bound on the absolute value of /. At the moment 
we assume that the absolute value of / is bounded on A and that the size K of 
the exponent of the floating-point arithmetic ¥l,k is sufficiently large to avoid 
overflow errors during the evaluation of /. In Section[T2l we drop this assumption 
and discuss the treatment of range issues. 

Below we summarize the basic quantities which are needed for the analysis 
of a function /. 



* There is no unique definition of perturbation in geometry (see the introduction 
in [52]). 
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Definition 4. We call (/, fc, A,5, e,nax) o, predicate description if: 

1. keN, 

2. Ad M'=, 

3. Sg M^o. 

4- Gmax is as it is defined in Formula (OP, 

5. Us{A) C [-2'=»-,2^"-]'= and 

6. f:UsiA)^R. 

Predicate descriptions are used on and on. We extend the notion in Definition [9] 
on page [12] and in Definition [T^ on page [551 



3.2 Success Probability, Grid Points 

Tlie controlled-perturbation algoritlrm Acp terminates eventually if there is a 
positive probability that Ag terminates successfully. The latter condition is ful- 
filled if / has the property: The probability of a successful evaluation of / gets 
arbitrarily close to the certain event just by increasing the precision L. We call 
this property applicability and specify it in Section (3.51 

In this section we derive a definition for the success probability that is appro- 
priate for the analysis and that is valid for floating-point evaluations. We begin 
with the question: What is the least probability that a guarded evaluation of / is 
successful in a run of ^g under the arithmetic F? We assume that each random 
point is chosen with the same probability. Then the answer is 

. \{x G tJsixJr ■■ Gix) is true} I 
W[j]¥) ■■= mm 



xgA I Us{x)\w I 

The definition really reflects the actual behavior of /. The probability is the 
number of guarded (floating-point) inputs divided by the total number of inputs 
and considers the worst-case for all perturbation areas. 



Issue 1: Floating-point arithmetic is hard to be analyzed directly 

Because floating-point arithmetic and its rounding policy can hardly be ana- 
lyzed directly, we aim at deriving a corresponding formula for real arithmetic. 
In real space, we use the Lebesgue measurCl /^ to determine the volume of areas. 
Therefore we are looking for a formula like 

. ^^{{xeUs{x) : g'{x)istinc}) 
pr( f :— mm — ^-^^ , - , ,, ^^ (2) 

where the predicate Q' : Us{A) — > {true, false} equals Q at arguments with 
floating-point representation. 



^ Measure Theory; The Lebesgue measure is defined in Forster [21] 



General Analysis Tool Box for Controlled Perturbation 11 

Issue 2: The set of floating-point numbers has measure zero 

It is well-known that the set Us{xjr is finite and that its superset Us{xJq is a 
set of measure zero. Be aware that the fraction in Formula ([2]) does not change 
if we redefine / on a set of measure zero. This implies some bizarre situations. 
For examplell let /faiso : tJsiA) ^ M be 



/false (a;) := 
and let /true : Us {A) -;► R be 

/true (a;) := 



fix) : x^UsiA)\Q 
: otherwise 



fix) : x^UsiA\ 
B : otherwise 



where B € M>o is large enough to guarantee that the guard G evaluates to true 
in the latter case. Be aware that pr(/faiso) = pr(/truo) due to Formula ^ whereas 
both implementations "^g with /true" and "y^c with /faisc" behave most con- 
flictive: The former is always successful whereas the latter never succeeds. We 
remark that the assumption "/ is (upper) continuous almost everywhere" does 
not solve the issue because "almost everywhere" means "with the exception of 
a set of measure zero." We have to introduce several restrictions to get able to 
deal with situations like that. 

Issue 3: There is no general relation between pr(/|F) and pr(/) 

This problem gets already visible in the 1-dimensional case. 

Example 1. Let F = F2,3 be the floating-point arithmetic with L = 2 and K = 3. 
In addition let U = [0, 2], i?i = [0, 1] and i?2 = [1, 2] be intervals. The situation 
is depicted in Figure [1] 



Fig. 1. Distribution of the discrete set F2,3 within the interval [0, 2]. 



What is the probability that a randomly chosen point x £ U lies inside of 7?i, 
respectively i?2, for points in U or [/|f? Note that Ri and i?2 have the same 
length. For i?i — [0, 1] we have 

1 17 

Pr(^i)-2 < Pr(^ilF) = ^, 



Note that there are finite sets of exceptional points that lead to similar counter- 
examples since every exception influences the practical behavior of the function (and 
L is finite). 



12 Ralf Osbild 

that means, the probabihty is higher for floating-point arithmetic. On the other 
hand, for R2 — [I, 2] we have 

1 5 

pr(i?2)-2 > MR2\f)^^, 

that means, the probabihty is higher for real arithmetic. Q 

We derive from Example [1] that there is no general relation between pr(/|F) and 
pr(/) because of the distribution of F. 

Issue 4: Distribution of F is non-uniform 

Because the discrete set of floating-point numbers is non-uniformly distributed 
in general, we smartly alter the perturbation policy: We restrict the random 
choice of floating-point numbers to selected numbers that lie on a regular grid. 

Definition 5 (grid). Let Cmax be as it is defined in Formula {Ip and let ¥l^k 
be a floating-point arithmetic (with emax ^ 2^^^). We define 

T := 2"=— -^-1. (3) 

We call 

<GL,K,e^^^ := {At : A e Z and Xt e [_2"»-% 2""-=-]} (4) 

the grid points induced by e,„ax with respect to Wi^j^ and we call r the grid unit 
of Gz,_i<-_e,„ax- Furthermore, we denote the grid points G inside of a set X C M.^ 
by 

xIg-.^xhg''. 

Again we omit the indices whenever they do not deserve special attention. We 
observe that the grid unit r is the maximum distance between two adjacent 
points in F n [—2'^'"'"', 2'^""'']. We observe further that the grid points G form a 
subset of F. Be aware that the symbol F represents a set or an arithmetic whereas 
the symbol G always represents a set. It is important to see that the underlying 
arithmetic is still F. We have introduced G only to change the definition of the 
original perturbation area into Us{y)\G- This leads to the final version of the 
success probability of f: The least probability that a guarded evaluation of / is 
successful for inputs in G under the arithmetic F is 

. \{xeUsix)\G : Gix) istTue}\ 

Pn/lc) := mm ^ 1 .-. ,-., 1 -■ (5) 

^£-4 I Us(x)\q I 

Before we continue this consideration, we add a remark on the implementation 
of the perturbation area h(s{y)\G- 

Remark 1. Because the points in G arc uniformly distributed, the implementa- 
tion of the perturbation is significantly simplified to the random choice of integer 
A in Formula (JH) . This functionality is made available by basically all higher pro- 
gramming languages. Apart from that we generate floating-point numbers with 
the largest possible number of trailing zeros. This possibly reduces the rounding 
error in practice. 
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Issue 5: Projection oiUs{y)\G is non-uniform 

The original perturbation area Usiyjo is a discrete set of uniformly distributed 
points of which every point is chosen with the same probability. As a conse- 
quence, the predicate perturbation area Us{x)\iq is also uniformly distributed. But 
it is important to see that this does not imply that all points in the projected 
grid appear with the same probability! We illustrate, explain and solve this issue 
in Section 1141 For now we continue our consideration under the assumption that 
all points in Us{xjis are uniformly distributed and randomly chosen with the 
same probability. 

Issue 6: Analyses for various perturbation areas may differ 

In the determination of pr(/|(j) in Formula ^, we encounter the difficulty to find 
the minimum ratio between the guarded and all possible inputs for all possible 
perturbation areas, that means, for all x G A. We can address this problem 
with a simple worst-case consideration if we cannot gain (or do not want to 
gain) further insight into the behavior of /: We just expect that, whatever could 
negatively affect the analysis of / within the total predicate perturbation area 
Us{A), affects the perturbation area Us{x) under consideration. This way, we 
safely obtain a lower bound on the minimum. 



Issue 7: There is no general relation between pr(/|G) and pr(/) 

Example 2. We continu( 
Because t/C [-2\2i], i 
is depicted in Figured] 



Example 2. We continue Example[T] In addition let R3 = [^, jg] be an interval. 
Because U C [—2^, 2^], we have Cmax — 1 and r = 2'^"""'"^"^ = i. The situation 



^3 



-•- 



i?i 1 R2 2 

Fig. 2. The distribution of the grid points 62,3,1 within the interval [0, 2] 



Again we compare the continuous and the discrete case: What is the probability 
that a randomly chosen point x € U lies inside of Ri {R2 or R3, respectively)? 
The probability is now higher for i?i and R2 in the discrete case 

1 5 

pr(i?i) = pr(i?2) =2 < Pr(fiilG) = pr(i?2|G) = g, 



and higher for R3 



2 1 

pr(i?3) = T > pK^sIg) = q 
5 6 



in the real case. O 
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We make the observation that the restriction to points in <G does not entirely 
solve the initial problem: We still cannot relate the probability pr(/) with pr(/|G) 
in general. To improve the estimate, we need another trick that we indicate in 
Example [31 // we make the interval slightly larger, we can safely determine the 
inequality. 

Example 3. Let r be the grid unit of G. We define three intervals R C i?aug C U . 
Let C/ C M be a closed interval of length Aqt with Aq G N. Let i?aug C C/ be an 
interval of length at least t that has the limits i?aug '■— [a ~ § ; ^ + §] for a, 6 € M. 
Finally, we define R := [a, b]. In addition let A G N be such that 

At < Ai(^aug) < (A + l)r. 

We observe that the number of grid points in _R|g a-nd i?aug|G is bounded by 

A-1 < mul < A < li^audcl < A + L 

Moreover, we make the important observation that 

I-R|g| ^ A < A = ^ < ^(^aug) 



I^TIgI - Ao + 1 - Ao AoT - ^([/) 

That means, it is more likely that a random point in U lies inside of i?aug than 
a random point in C/|g lies inside of -R|g- The inequality 

pr(i^G) < pr(-Raug) 
is valid independently of the actual choice or location of R. Q 

Issue 8: There is still no general relation between pr(/|G) and pr(/) 

The probability pr(/) is defined as the ratio of volumes. The definition is, in 
particular, independent of the location and shape of the involved sets. As an 
example, we consider the three different (shaded) regions in Figure [3] which all 
have the same volume. 

We make the important observation that the shape and location matter if 
we derive the induced ratio for points in G. The discrepancy between the ratios 
is caused by the implicit assumption that the grid unit r is sufficiently small. 
(Asymptotically, the ratios approach the same limit in the three illustrated ex- 
amples for r — >■ 0.) Be aware that making this assumption explicit leads to a 
second constraint on the precision L which we call the grid unit condition. To 
solve this issue, we need a way to adjust the grid unit r to the shape of R. We ad- 
dress this issue in general in Section [5. II For now we continue our consideration 
under the assumption that this problem is solved. 
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/i X2 



;i.T2 



■Cl 



nX2 



Xi 



Xl 



(a) 



(b) 



(c) 



Fig. 3. The volume of the shaded region R is the same in the three pictures. 
Depending on the shape and location of i?, it covers various fractions of the 
discrete set G. For example: (a) a quarter, (b) a half, (c) nothing. 



Summary and validation of pr(/|G) 

We summarize our considerations so far. The analysis of a guarded algorithm 
must reflect its actual behavior. (What would be the meaning of the analysis, 
otherwise?) Therefore we have defined the success probability of a floating-point 
evaluation of / in Formula ([S|) such that it is based on the behavior of guards. 
Furthermore, we have studied the interrelationship between the success proba- 
bility for floating-point and real arithmetic to prepare the analysis in real space. 
Be aware that we have introduced a specialized perturbation on a regular grid G 
(in practice and in analysis) which is necessary for the derivation of the interre- 
lationship. Moreover, we now make this relationship explicit for a single interval. 
(The general relationship is formulated in Section ISTT ) 

Example 4- (Continuation of Example |3l) Let / : C/ -^ M. We assume the fol- 
lowing property of i?: If a; € U\c lies outside of R then the guard G{x) is true. 
Then we have 

{a; e t/|G : Q{x) is true} | 



pr(ilG) 



\U\i 



> 1 - 



> 1 



\Hi 






We conclude: // we prove by means of abstract mathematics that 

M(^aug) 



1 



^i{u) 



>p 



for a probability p G (0, 1), we have implicitly proven that 

pr(/|G) > P 



for a randomly chosen grid point in 
discrete quantities. 



Be aware that pr(/lG) is defined only by 

^ o 
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Warning: processing exceptional points 

We explain in this paragraph why it is absolutely non-obvious how to process 
exceptional points in general. Assume that we want to exclude the set D G A 
from the analysis. This changes our success probability from Formula (O into 

, „ . . \\x e Ifsixja : g{x) is true) \ D I 

pr(ilG) = mm 



maxjO, \{x e Us{x)\g ■ Gix) is true}! — \D\] 
> min ^^ i-^^ 1 - — j — -. 

26-4 \Us{x}g\ 

To obtain a practicable solution, it is reasonable to assume that D is finite and, 
moreover, that \D\ <^ I Us{x)\g 1. This changes the relation in Example |4] into: 

p.(^c)>.nax|o,l "<«".' 1^1 1 



niU) I UsixjG I j ■ 

It is important to see that this estimate still contains two quantities that depend 
on the floating-point arithmetic. But our plan was to get rid of this dependency. 
In spite of the simplifying assumptions it is non-obvious how to perform the 
analysis in real space in general. Our suggested solution to this issue is to avoid 
exceptional points. Alternatively we declare them critical (see next section) which 
triggers an exclusion of their environment. 



3.3 Fp-safety Bound, Critical Set, Region of Uncertainty 

The fp-safety bound 

We introduce a predicate that can certify the correct sign of fioating-point eval- 
uations. The essential part of this predicate is the fp-safety bound. We show in 
Section [11] that there are fp-safety bounds for a wide class of functions. 

Definition 6 (lower fp-safety bound). Let {f,k,A,S,emax) be a predicate 
description. Let 5'inf / : N — )• M>o be a monotonically decreasing function that 
maps a precision L to a non-negative value. We call S'inf/ a (lower) fp-safety 
bound for f on A if the statement 

\f{x)\>S,n{f{L) => sign{f{x)\r,)^sign{f{x)) (6) 

is true for every precision L € N and for all x £ Us{A)yj^ . 

For the time being, we consider X to be a constant. We drop this assumption 
in Section [12] where we introduce upper fp-safety bounds. Until then we only 
consider lower fp-safety bounds. 
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The critical set 

Next we introduce a classification of the points in Us (A) in dependence on their 
neighborhood. (We refine the definition on PageFfOl) 



Definition 7 (critical). Let (/, k, A, S, e 
a point c G Us{x) critical if 

inf 

xeu4c)\{c} 



be a predicate description. We call 
1/(^)1=0 (7) 



on a neighborhood Ug{c) for infinitesimal small e > 0. Furthermore, we call zeros 
of f that are not critical less-critical. Points that are neither critical nor less- 
critical are called non-critical. We define the critical set Cf^s oi f at x & A with 
respect to S as the union of critical and less- critical points within Us{x). 

In other words, we call c critical if there is a Cauchy sequencqj (ai)ieN in Us{x) \ 
{c} where limi„>.oo Oi — c and limi_j.oo /(oj) — 0. We remember that the metric 
spacqfl R'^ is complete, that means, the limit of the sequence (a.;) lies inside of 
the closure Us {x) . Sometimes we omit the indices of the critical set C if they are 
given by the context. 

Example 5. We consider the three functions that are depicted in Figure (HJ. Let 

P + 1 for 



fi{x) = x^. Let f2ix) 
X ^ {-2,1} and f3{-2) 



x^ for X 7^ and /2(0) = 2. Let f3{x) = a 

and /3(1) — 0.2. The point a; = in Picture (a) is a 






(a) (b) (c) 

Fig. 4. Examples of critical, less-critical and non-critical points. 



zero and a critical point for /i. In (a), every argument a; 7^ is non-critical for 
/i. In (b), /2 is non-zero at a; = 0, but a:: = is a critical point for /2. In (c), the 
argument a; = — 2 is less-critical for /s and the argument a; = 1 is non-critical 
for /3. O 

'^ Analysis: Cauchy sequence is defined in Forster [20) . 

* Topology: Metric space and completeness are defined in Janich [35] . 
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What is the difference of critical and less-critical points? We observe that the 
point c is excluded from its neighborhood in Formula ([7]). Zeros of / would 
trivially be critical otherwise. Furthermore, we observe that zeros of continuous 
functions are always critical. For our purpose it is important to see that the 
infimum of |/| is positive if we exclude the less-critical points itself and neigh- 
borhoods of critical points. Be aware that we technically could treat both kinds 
differently in the analysis and still ensure that the result of the analysis is valid 
for floating-point arithmetic. Only for simplicity we deal with them in the same 
way by adding these points to the critical set. Only for simplicity we also add 
exceptional points to the critical set. 

The region of uncertainty 

The next construction is a certain environment of the critical set. 

Definition 8 (region of uncertainty) . Let {f,k,A,6,eniax) be a predicate de- 
scription. In addition let 7 e M^q . We call 

Rf,^{x):^Us{x) n j U U^{c)\ (8) 

the region of uncertainty for / induced by 7 with respect to x. 

In our presentation we use the axis-parallel boxes U^{c) to define the specific 
7-neighborhood of C; other shapes require adjustments, see Section lOl The sets 
Uj{c) are open and the complement of Rf_^{x) in Us{x) is closed. We omit the 
indices of the region of uncertainty R if they are given by the context. 

The vector 7 defines the tuple of componentwise distances to c. The presen- 
tation requires a formal definition of the set of all admissible 7. This set is either 
a box or a line. Let 7 G K^q. Then we define the unique open axis-parallel box 
with vertices and 7 as 

r-box^ := {7' = (7;, . . . , 7[.) : 7,' S (0, 7.) for all z G /} 

and the open diagonal from to 7 inside of -T-box ^ as 

r-line^ := {7 : 7 = A7 with A e (0, 1)} . 

It is important that the 7.^ can be chosen arbitrarily small whereas the upper 
bounds 7i are only introduced for technical reasons; we assume that 7 is "suffi- 
ciently" smallo Occasionally we omit 7. 

We have already seen that there is need to augment the region of uncertainty 
(see Issue 7 and 8 in Section l3^ . This task is accomplished by the mapping 
7 I— >■ aug(7) := ^ for t S (0, 1). For technical reasons we remark that 7 S F-hoxj 
if aug(7) £ F-hox^y, and 7 G F-linej if aug(7) € P-hne^. We call i?/,aug(7) the 
augmented region of uncertainty for f under aug(7). By F we denote the set of 
valid augmented 7 and include it in the predicate description. 

® It is fine to ignore this information during first reading. More information and the 
formal bound is given in Remark [3l2 on Page I27l 
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/■ 




/"'"^ guard fails ^~'\. 
/ __XSerpset) \ 


fp-safe evaluation 


^\ C wrong sign J / 






In Practice 



Fig. 5. The diagram of the practice-oriented terms. 



Definition 9. We extend Definition^ and call (/, fc,yl, 5, Cmax, -^) a predicate 



description if: 7. F = r'-line^ or F — r'-box^ for a sufficiently small 7 e ^^ 



>o- 



3.4 Overview: Classification of the Input 

In practice and in the analysis we deal with real-valued functions whose signs 
decide predicates. The arguments of these functions belong to the perturbation 
area. In this section we give an overview of the various characteristics for function 
arguments that we have introduced so far. We strictly distinguish between terms 
of practice and terms of the analysis. 

The diagram of the practice-oriented terms is shown in Figure [5l We con- 
sider the discrete perturbation area Us\q,. Controlled perturbation algorithms 
^CP are designed with intent to avoid the implementation of degenerate cases 
and to compute the combinatorial correct solution. Therefore the guards in the 
embedded algorithm ^g niust fail for the zero set and for arguments whose eval- 
uations lead to wrong signs. The guard is designed such that the evaluation is 
definitely fp-safe if the guard does not fail (light shaded region). Unfortunately 
there is no convenient way to count (or bound) the number of arguments in C4|g 
for which the guard fails. That is the reason why we perform the analysis with 
real arithmetic and introduce further terms. 

The diagram of the analysis-oriented terms is shown in Figure |6l We consider 
the real perturbation area Us- Instead of the zero set, we consider the critical set 
(see Definition [7|) . The critical set is a superset of the zero set. Then we choose 
the region of uncertainty as a neighborhood of the critical set (see Definition |S]). 
We augment the region of uncertainty to obtain a result that is also valid for 
floating-point evaluations. We intent to prove fp-safety outside of the augmented 
region of uncertainty (i.e. on the light shaded region). Therefore we design a fp- 
safety bound that is true outside of the region. This way we can guarantee that 
the evaluation of a guard (in practice) only fails on a subset of the augmented 
region (in the analysis). 



3.5 Applicability and Verifiability of Functions 

We study the circumstances under which we may apply controlled perturbation 
to a predicate in practice and under which we can actually verify its application 
in theory. We stress that we talk about a qualitative analysis here; the desired 
quantitative analysis is derived in the following sections. 
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augmented 
region of uncertainty 




provable fp-safe evaluation 



In the Analvsis 



Fig. 6. The diagram of the analysis-oriented terms (shown in black). 



Furthermore, we want to remark that verifiability is not necessary for the 
presentation of the analysis tool box. However, the distinction between appli- 
cability, verifiability and analyzability was important for the author during the 
development of the topic. We keep it in the presentation because it may also be 
helpful to the reader. Anyway, skipping this section is possible and even assuming 
equality between verifiability and analyzability will do no harm. 

In practice 

We specify the function property that the probability of a successful evaluation 
of / gets arbitrarily close to the certain event by increasing the precision. 

Definition 10 (applicable). Let (/, fc, A, (5, Cmax) be a predicate description. 
We call f applicable if for every p G (0,1) there is Lp Cz N such that the guarded 
evaluation of f is successful at a randomly perturbed input x € Us{x)\gi^ with 
probability at least p for every precision i G N with L > Lp and every x € A. 

Applicable functions can safely be used in guarded algorithms: Since the pre- 
cision L is increased (without limit) after a predicate has failed, the success 
probability gets arbitrarily close to 1 for each predicate evaluation. As a conse- 
quence, the success probability of .Ag gets arbitrarily close to 1, too. 



In the qualitative analysis 

Unfortunately we cannot check directly if / is applicable. Therefore we introduce 
two properties that imply applicability. 

Definition 11. Let (/, fc, A, 5, emax, -T-line, i) be a predicate description. 

~ (region- condition) . For every p G (0, 1) there is j E R^q such that the geo- 



metric failure probability is bounded in the way 

niUsix)) - ^ P> 
for all X <E A. We call this condition the region-condition. 



(9) 
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ifety- 

m 



— (safety- condition). There is a fp-safety bound S-mf f '■ N — > M>o on Us{A) 
witn 



lim 5i„f/(i)=0. (10) 

We call this condition the safety-condition. 
— (verifiable). We call f verifiable on Us{A) for controlled perturbation if f 
fulfills the region- and safety- condition. 

The region-condition guarantees the adjustability of the volume of the region of 
uncertainty. Note that the region-condition is actually a condition on the critical 
set. It states that the critical set is sufficiently "sparse". 

The safety-condition guarantees the adjustability of the fp-safety bound. It 
states that for every ip > there is a precision Lsafc G N with the property that 

Sin{f{L)<^ (11) 

for all L e N with L > igafc- We give an example of a verifiable function. 

Example 6. Let A C M be an interval, let 5 e M>o and let / : Us{A) ^- M be a 
univariate polynomial!^ of degree d with real coefficients, i.e., 

f{x) — Od- x"^ -{- Od-i ■ x'^^^ + . . . + ai • a; + cq. 

We show that / is verifiable. Part 1 (region-condition). Because of the funda- 
mental theorem of algebra (e.g., see Lamprecht 01]), / has at most d real roots. 
Therefore the size of the critical set C/ is bounded by d and the volume of the 
region of uncertainty R^{x) is upper-bounded by 2d'y. For a given p G (0, 1) we 
then choose 

{1-P)5 
which fulfills the region-condition because of 

^l[Us{x)) - 26 ^- 

Part 2 (safety-condition). Corollary [3] on page l68l provides the fp-safety bound 
SinffiL) := (d + 2) max \a,\ 2^"-('^+i)+i-^ 

l<i<d 

for univariate polynomials. Since S'int/(i) converges to zero as L approaches 
infinity, the safety-condition is fulfilled. Therefore / is verifiable. Q 



! 

^° Technically, the assumption Sinif{L) > is no restriction. 

'^^ We avoid the usual notation / G R[x] to emphasize that the domain of / must be 
bounded. 
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We show that, if a function is verifiable, it has a positive lower bound on its 
absolute value outside of its region of uncertainty. 

Lemma 1. Let (/, fc, A, (5, emaxj-T-line, t) he a predicate description and let f he 
verifiable. Then for every 7 € IR>0' ^^^^6 is (p E R>o with 

^< 1/(^)1 (12) 

for all X £ Us{x) \ R^{x) and for all x E A. 

Proof. We assume the opposite. That means, in particular, for every i g N there 
is ai S Us{x) \R^{x) such that |/(ai)l < j- Then {ai)i^fq is a bounded sequence 
with accumulation points in Us{x) \ Rj{x). Those points must be critical and 
hence belong to R-y{x). This is a contradiction. D 

Finally we prove that verifiability of functions implies applicability. 

Lemma 2. Let (/, fc, A, 5, Cmax, -T-line, t) he a predicate description and let f he 
verifiable. Then f is applicable. 

Proof. Let p G (0, 1). Then the geometric success probability is bounded by p. 
Therefore there must be an upper bound on the volume of the region of uncer- 
tainty (see Definition 111 p. In addition there is a precision Lgrid such that we may 
interpret this region as an augmented region i?aug(7) (see Theorem [T]). Further- 
more, there must be a positive lower bound on |/| outside of R^ (see Lemma [1]). 
Moreover, there must be a precision Lgafc for which the fp-safety bound is smaller 
than the bound on |/|. Be aware that this implies that the guarded evaluation 
of / is successful at a randomly perturbed input with probability at least p for 
every precision L > maxjisafc, -^grid}- That means, / is applicable (see Defini- 
tion [TUl). □ 

4 General Analysis Tool Box 

The general analysis tool box to analyze controlled perturbation algorithms is 
presented in the remainder of the paper. We call the presentation a tool box be- 
cause its components are strictly separated from each other and sometimes allow 
alternative derivations. In particular, we present three ways to analyze functions. 
Here we briefly introduce the tool box and refer to the detailed presentation of 
its components in the subsequent sections. The decomposition of the analysis 
into well-separated components and their precise description is an innovation of 
this presentation. 

The tool box is subdivided into components. At first we explain the analysis 
of functions. The diagram in Figure [7] illustrates three ways to analyze functions. 
We subdivide the function analysis in two stages. The analysis itself in the second 
stage requires three necessary bounds, also known as the interface, which are 
defined in Section [6] region-suitability, value- suitability and safety- suitability. In 
Section [7] we introduce the method of quantified relations which represents the 
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Fig. 7. Illustration of the various ways to analyze functions. 



actual analysis in the second stage. In the first stage, we pay special attention to 
the derivation of two bounds of the interface and suggest three different ways to 
solve the task. We show in Section |S] how the bounds can be derived in a direct 
approach from geometric measures. Furthermore, we show how to build-up the 
bounds for the desired function from simpler functions in a bottom-up approach 
in Section [9l Moreover, we present a derivation of the bounds by means of a 
"sequence of bounds" in a top-down approach in Section 1101 Finally, we show 
how we can derive the third necessary bound of the interface with an error 
analysis in Section [TT] 

We deal with the analysis of algorithms in Section 1141 The idea is illus- 
trated in Figure [25] on page[75l Again we subdivide the analysis in two stages. 
The actual analysis of algorithms is the method of distributed probability which 
represents the second stage and is explained in Section [14.31 The interface be- 
tween the stages is subdivided in two groups. Firstly, there are algorithm pre- 
requisites (to the left of the dashed line in the figure). These bounds are de- 
fined and derived in Section [14. II evaluation-suitability, predicate- suitability and 
perturbation-suitability. Secondly, there are predicate prerequisites (to the right 
of the dashed line in the figure). These are determined by means of function 
analyses. 



5 Justification of Analyses in Real Space 

This section addresses the problem to derive the success probability for fioating- 
point evaluations from the success probability which we determine in real space. 
Analyses in real space are without meaning for controlled perturbation imple- 
mentations (which use floating-point arithmetic) , unless we determine a reliable 
relation between floating-point and real arithmetic. To achieve this goal, we in- 
troduce an additional constraint on the precision in Section 15.11 and summarize 
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our efforts in the determination of tlie success probability in Section [521 This is 
the first presentation that adjusts the precision of the floating-point arithmetic 
to the shape of the region of uncertainty. 

5.1 The Grid Unit Condition 

Here we adjust the distance of grid points (i.e., the grid unit t) to the "width" 
of the region of uncertainty 7. As we have seen in Issue 8 in Section [3T2l the grid 
unit T must be sufficiently small (i.e., L must be sufficiently large) to derive a 
reliable probability pr(/|G) from pr(/). The problem is illustrated in Figure[3]on 
page 1151 We call this additional constraint on L the grid unit condition 

L > Lgrid (13) 

for a certain Lgrid S N. Informally, we demand that r ^ 7. Here we show how 
to derive the threshold L^rid formally. We refine the concept of the augmented 
region of uncertainty which we have mentioned briefly in Section 13.21 The dis- 
cussion of Issue 7 suggests an additive augmentation 7 = aug(7') that fulfills 

(I) , {II) 

To < li < 7i - ■^o 

for all 1 < i < fc where tq is an upper bound on the grid unit. However, in the 
analysis it is easier to handle a multiplicative augmentation 

(7/7) 7' 

for a factor t G (0,1), that means, we define aug(7') := ^- We call j the 
augmentation factor for the region of uncertainty. Together this leads to the 
implications 

(/) and (///) => tq < t ■ min 7^ 

l<i<k 

{II) and (///) ^ To < (1 - t) • min 7, 

l<i<k 
{IV) 

and consequently => tq < min {t, 1 — i} • min 7^ 

l<i<k 

Furthermore, we demand that tq is a power of 2 which turns {IV) into the 
equality 

{Y) 2[log2(min{t,l-t}-mini<i<fc 7i)J 

Due to Formula ([3]) in Definition [5] we also know that 

TO ^='^ 2'^— -^---1. 
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Therefore we can deduce Lgrid from {V) and {VI) as 



igrid(7) ■= Smax — 1 



log2 niin {t, 1 — t} • niin -fi ) 

\ l<i<k J 



(14) 



As an example, for i = ^ we obtain Lgrid(7) = emax — Llog2 ™'^i<4<fc 7d- We 
refine the notion of a predicate description. 

Definition 12. We extend Definition\^ and call (f^k, A,S,e^a.:>c, r,t) a predi- 
cate description if: 8. t ^ (0, 1). 

Now we are able to summarize the construction above. 

Theorem 1. Let {f,k, A,S,eYns^x, r,t) be a predicate description. Then 

tJ-JR-yix)) I Rtj{x)\G^ I 

niUsix)) - \Usix)\G,\ ^ ' 

for all precisions L > igi.id(7) where igrid *s defined in Formula H^- 

Remark 2. We add some remarks on the grid unit condition. 

1. Unequation ([T5|) guarantees that the success probability for grid points is 
at least the success probability that is derived from the volumes of areas. This 
justifies the analysis in real space at last. 

2. Be aware that the grid unit condition is a fundamental constraint: It does 
not depend on the function that realize the predicate, the dimension of the 
(projected or full) perturbation area, the perturbation parameter or the critical 
set. The threshold Lgrid mainly depends on the augmentation factor j and 7. In 
particular we observe that an additional bit of the precision is sufhcient to fulfill 
the grid unit condition for ^, i.e. 



■id (^ 2 ) "" ^g"d(7) 



1. 



3. We have defined the region of uncertainty Rf by means of axis-parallel 
boxes C/-y (c) for c G C/ in Definition |51 If Rf is defined in a different way, we 
must appropriately adjust the derivation of Lgrid in this section. 

4. We observe that the grid unit condition solves Issue 8 from Section 13.21 
Now we reconsider the example in Figure [3] on page [15] We observe that the grid 
unit in Picture (a) fulfills the grid unit condition whereas the condition fails in 
Pictures (b) and (c). Obviously, r ^ 7 in the latter cases. Q 

5.2 Overview: Prerequisites of the Validation 

It is important to see that the analysis must reflect the behavior of the underlying 
floating-point implementation of a controlled perturbation algorithms to gain a 
meaningful result. Only for the purpose to achieve this goal, we have introduced 
some principles that we summarize below. The items are meant to be reminders, 
not explanations. 
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— We guarantee that the perturbed input Ues on the grid G. 

— We analyze an augmented region of uncertainty. 

— The region of uncertainty is a union of axis-parallel boxes and, especially, 
intervals in the l-dimensional case. There are lower bounds on the measures 
of the box. 

— The grid unit condition is fulfilled. 

— We do not exclude isolated points, unless we can prove that their exclusion 
does not change the floating-point probability. It is always safe to exclude 
environments of points. 

— We analyze 77 runs of .4g at a time (see Section ri4.3p . 

With this principles at hand we are able to derive a valid analysis in real space. 

6 Necessary Conditions for the Analysis of Functions 

The method of quantified relations, which is introduced in the next section, ac- 
tually performs the analysis of real- valued functions. Here we prepare its appli- 
cability. In Section [6. II we present three necessary conditions: the region-, value- 
and safety-suitability. Together these conditions are also sufficient to apply the 
method. Because these conditions are deduced in the first stage of the function 
analysis (see Section I MTTj) and are used in the second stage (see Section [7]) , we 
also refer to them as the interface between the two stages (see Figure [5]). This is 
the first time that we precisely define the prerequisites of the function analysis. 
The definitions are followed by an example. In Section 16.21 we summarize all 
function properties. 



*- ^ , ^ 1 f —^ 

region-suitable value-suitable safety-suitable 



Fig. 8. The interface between the two stages of the analysis of functions. 



6.1 Analyzability of Functions 

Here we define and explain the three function properties that are necessary 
for the analysis. Their associated bounding functions constitute the interface 
between the two stages. Informally, the properties have the following meanings: 

— We can reduce the volume of the region of uncertainty to any arbitrarily 
small value (region-suitability). 

— There are positive and finite limits on the absolute value of / outside of the 
region of uncertainty (value-suitability) . 

— We can reduce the rounding error in the floating-point evaluation of / to 
any arbitrarily small value (safety-suitability). 
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The region-suitability 

The region-suitability is a geometric condition on the neighborhood of the critical 
set. We demand that we can adjust the volume of the region of uncertainty to 
any arbitrarily small value. For technical reasons we need an invertible bound. 

Definition 13 (region-suitable). Let (/, fc, A, 5, emaxj-T-line, i) be a predicate 
description. We call f region-suitable if the critical set of f is either empty or 
if there is an invertible upper-bounding functior^ 

Vf : r-YvciG — > ]R>o 

on the volume of the region of uncertainty that has the property: For every p G 
(0, 1) there is j E I^-linc such that 

Mi?.(x))^ .fh) ^ ^^_^^ ^^g^ 



l^iUsix)) - fiiUsix)) 



for all X E A. 



Remark 3. We add several remarks on the definition above. 

1. Region-suitability is related to the region-condition in the following way: 
The criterion for region-suitability results from the replacement of fi{R~^{x)) in 
Formula ^ with a function Vf. This changes the region-condition in Defini- 
tion [TT] into a quantitative bound. 

2. Of course, controlled perturbation cannot work if the region of uncertainty 
covers the entire perturbation area of x. We have said that we consider 7 € 
r'-line^ for a "sufficiently" small 7 G R>o- That means formally, we postulate 
1^(7) <C ii{Us[x)). To keep the notation as plain as possible, we are aware of this 
fact and do not make this condition explicit in our statements. 

3. The invertibility of the bonding function Vf is essential for the method 
of quantified relations as we see in the proof of Theorem [2l There it is used to 
deduce the parameter 7 from the volume of the region of uncertainty — with the 
exception of an empty critical set which does not imply any restriction on 7. 

4a. The function Vf provides an upper bound on the volume of the region of 
uncertainty within the perturbation area of x. Sometimes it is more convenient 
to consider its complement 

Xfil) -.^ tiiU^m ~ vf{^). (17) 

The function Xfil) provides a lower bound on the volume of the region of prov- 
able fp-safe inputs. 

4b. The special case i^/ = corresponds to the special case Xf = fJ- {Us{x)). 
Then the critical set is empty and there is no region of uncertainty. This implies 
that "^3/(7) can also be chosen as a constant function (see the value-suitability 
below) . 



^^ Instead of Vf we can also use its complement Xf- See the following Remark [3l4 for 
details. 
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4c. Based on Formula p7|) . we can demand the existence of an invertible func- 
tion Xf '■ -T'-line — ^ ]R>o instead of Vf in the definition of region-suitabihty. That 
means, either Xf = fJ- (Usix)) or Xf '■ r-\me — > M>o in an invertible function. 

5. We make the following observations about region-suitability: (a) If the 
critical set is finite, / is region-suitable, (b) If the critical set contains an open 
set, / cannot be region-suitable, (c) If the critical set is a set of measure zero, it 
does not imply that / is region-suitable. Be aware that these properties are not 
equivalent: If / is region-suitable, the critical set is a set of measure zero. But a 
critical set of measure zero does not necessarily imply that / is region-suitable: 
In topology we learn that Q is denseo in R; hence any open e-neighborhood of 
Q equals R. In set theory we learn thallB |Q| = Hq < 2^« = \R\; hence / cannot 
be region-suitable if the critical set is (locally) "too dense." Q 

The inf-value-suitability 

The inf-value-suitability is a condition on the behavior of the function /. We 
demand that there is a positive lower bound on the absolute value of / outside 
of the region of uncertainty. 

Definition 14 (inf- value-suitable). Let {f,k,A,S,emax,r-\me,t) be a predi- 
cate description. We call f (inf-)value-suitable if there is a lower-bounding func- 
tion 

(pinff : r-line-)- R>o 

on the absolute value of f that has the property: For every 7 £ r'-line, we have 

'^inf/(7) < \f{^)\ (18) 

for all X e Us{x) \ Rry{x) and for all x Cz A. 

We extend this definition by an upper bound on the absolute value of / in 
Section [T2] and call this property sup- value-suitability; until then we call the inf- 
value-suitability simply the value-suitability and also write (/?/ instead of (p-mtf- 
The criterion for value-suitability results from the replacement of the constant 
If in Formula (112^ with the bounding function iff. This changes the existence 
statement of Lemma [T] into a quantitative bound. 

The inf-safety-suitability 

The inf-safety-suitability is a condition on the error analysis of the floating- 
point evaluation of /. We demand that we can adjust the rounding error in the 
evaluation of / to any arbitrarily small value. For technical reasons we demand 
an invertible bound|l£| 

^^ Topology: "Q is dense in R" means that Q = R. For example, see Janich |35l p. 63]. 
^'* Set Theory: Cardinalities of (infinite) sets are denoted by Ni. For example, see 

Deiser [H 162fl]. 
^* We leave the extension to non-invertible or discontinuous bounds to the reader; we 

do not expect that there is any need in practice. 
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Definition 15 (inf-safety-suitable). Let (/, fc, A, 5, emax) be a predicate de- 
scription. We call f (inf-)safety-suitable if there is an injective fp-safety bound 
Sinif{L) : N — > K>o that fulfills the safety- condition in Formula HO]} and if 

5rJ^:(0,5i„f/(l)]^R>o. 
is a strictly monotonically decreasing real continuation of its inverse. 

We extend the definition by sup-safety-suitability in Section 1121 until then we 
call the inf-safety-suitability simply the safety-suitability. 

The analyzability 

Based on the definitions above, we next define analyzability, relate it to verifia- 
bility and give an example for the definitions. 

Definition 16 (analyzable). We call f analyzable if it is region-, value- and 
safety-suitable. 

Lemma 3. Let f be analyzable. Then f is verifiable. 

Proof. If / is analyzable, / is especially region-suitable. Then the region-condition 
in Definition [11] is fulfilled because of the bounding function Vf . In addition / 
must also be safety-suitable. Then the safety-condition in Definition [TT] is ful- 
filled because of the bounding function S'inf /• Together both conditions imply 
that / is verifiable. D 

We support the definitions above with the example of univariate polynomials. 
Because we refer to this example later on, we formulate it as a lemma. 

Lemma 4. Let f be the univariate polynomial 

f{x) ^Od- x'^ + Od-i ■ x'^^'^ + . . . + ai • X -f ao (19) 

of degree d and let (/, fc, A, (5, emax,^-hne, t) be a predicate description for f. 
Then f is analyzable on Us (A) with the following bounding functions 



Vf{-f) : 


= 2d7 




(20) 


Viil) ■ 


= |a<i|-7' 




(21) 


Sinif{L) : 


= (d + 2) max ja^l 2"'" 


ax(d-|-l) + l-L 





l<i<d 



Proof. For a moment we consider the complex continuation of the polynomial, 
i.e. / G C[z]. Because of the fundamental theorem of algebra (e.g., see Lam- 
precht [H]), we can factorize / in the way 



d 



fiz) = ad-Y[{z~Q) 



i=l 
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since / has d (not necessarily distinct) roots Q G C. Now let 7 G K>o. Then we 
can lower bound the absolute value of / by 

\fiz)\>\a,\-l' 

for all 2: e C whose distance to every (complex) root of f{z) is at least 7. 
Naturally, the last estimate is especially true for real arguments x whose distance 
to the orthogonal projection of the complex roots Q onto the real axis is at least 
7. So we set the critical set tcQ Cf{x) := {Re(Cz) : 1 < i < d} n Us{x). This 
validates the bound t^/ and implies that / is value-suitable. 

Furthermore, the size of C/ is upper-bounded by d for all x €i A. This vali- 
dates the bound Vf. Because i^f is invertible, / is region-suitable. 

The bounding function S'inf / (L) is proven in Corollary [3] in Section [TTJ Be- 
cause Sinff{L) is invertible, / is also safety-suitable. As a consequence, / is 
analyzable with the given bounds. D 

We admit that we have chosen a quite simple example. But a more complex 
example would have been a waste of energy since we present three general ap- 
proaches to derive the bounding functions for the region- and value- suitability 
in Sections [51 [HI and 1101 That means, for more complex examples we use more 
convenient tools. A well-known approach to derive the bounding function for the 
safety-bound is given in Section [TTJ 

6.2 Overview: Function Properties 

At this point, we have introduced all properties that are necessary to precisely 
characterize functions in the context of the analysis. So let us take a short break 
to see what we have defined and related so far. We have summarized the most 
important implications in Figure [9] Controlled perturbation is applicable to a 
certain class of functions. But only for a subset of those functions, we can actually 
verify that controlled perturbation works in practice — without the necessity, or 
even ability, to analyze their performance. We remember that no condition on the 
absolute value is needed for verifiability because it is not a quantitative property. 
A subset of the verifiable functions represents the set of analyzable functions in a 
quantitative sense. For those functions there are suitable bounds on the maximum 
volume of the region of uncertainty, on the minimum absolute value outside of 
this region and on the maximum rounding error. In the remaining part of the 
paper, we are only interested in the class of analyzable functions. 



7 The Method of Quantified Relations 

The method of quantified relations actually performs the function analysis in 
the second stage. The component and its interface are illustrated in Figure [TOl 



^^ Complex Analysis: The function Re{z) maps a complex number 2 to its real part. 
For example, see Fischer et al. [19j . 
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region-suitable 



valiie-siiitable 



Kafetv-suitable 




In the Analysis 
(quantitative) 



applicable 



In Practice 



Fig. 9. The illustration summarizes the implications of the various function prop- 
erties that we have defined in this paper. A function that is region-, value- and 
safety-suitable at the same time is also analyzable (see Definition \TE\\ . An an- 
alyzable function is also verifiable (see Lemma [3]). And a verifiable function is 
also applicable (see Lemma [2]). 
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Fig. 10. The method of quantified relations and its interface. 



We introduce the method in Section 17.11 Its input consists of three bounding 
functions that are associated with the three suitability properties from the last 
section. The applicability does not depend on any other condition. The method 
provides general instructions to relate the three given bounds. The prime objec- 
tive is to derive a relation between the probability of a successful fioating-point 
evaluation and the precision of the floating-point arithmetic. More precisely, the 
method provides a precision function L{p) or a probability function p{L). This 
is the first presentation of step-by-step instructions for the second stage of the 
function analysis. An example of its application follows in Section 17.21 



7.1 Presentation 



There are no further prerequisites than the three necessary suitability properties 
from the last section. Therefore we can immediately state the main theorem of 
this section whose proof contains the method of quantified relations. 
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Theorem 2 (quantified relations). Let {f,k,A,S,e^s,x,r-\me,t) be a predi- 
cate description and let f be analyzable. Then there is a method to determine 
a precision function Lf : (0,1) — > N such that the guarded evaluation of f at 
a randomly perturbed input is successful with probability at least p £ (0, 1) for 
every precision i G N with L > Lf{p). 

Proof. Wc show in six steps how we can determine a precision function Lf[p) 
which has the property: If we use a floating-point arithmetic with precision Lf{p) 
for a given p £ (0, 1), the evaluation of /(x)|g is guarded with success probabihty 
of at least p for a randomly chosen x £ Us(x)\c, and for any x E A. An overview 
of the steps is given in Table [TJ Usually we begin with Step 1. However, there 
is an exception: In the special case that i/j = 0, we know that the bounding 
function tp is constant, see Remark [3]4 for details. Then we just skip the first 
four steps and begin with Step 5. 



Step 1: relate probability with volume of region of uncertainty (define Ev) 
Step 2: relate volume of region of uncertainty with distances (define 7) 
Step 3: relate distances with fioating-point grid (choose t) 
Step 4: relate new distances with minimum absolute value (define tp) 
Step 5: relate minimum absolute value with precision (define Lsafc) 
Step 6: relate Lsafo with Lgrid (define Lgrid and Lf) 



Table 1. Instructions for performing the method of quantified relations. 



Step 1 (define e^). We derive an upper bounding function ey{p) on the volume 
of the augmented region of uncertainty from the success probability p in the way 

e,[p):={l-p)-ii{Us) (22) 

k 

= {l-p)-\{{25,). 

i=l 

That means, a randomly chosen point x € Us{x) lies inside of a given region of 
volume Si, (p) with probability at least p. Be aware that we argue about the real 
space in this step. 

Step 2 (define 7). We know that there is 7 € M^g that fulfills the region- 
condition in Definition [TT] because / is verifiable. Since / is even region-suitable, 
we can also determine such 7 S P-line by means of the inverse of the bounding 
function Vf. The existence and invertibility of Vf is guaranteed by Definition [T31 
Hence we define the function 

-f{p) := iyj\e,{p)) e r-\me. (23) 

We remember that there is an alternative definition of the region-suitability 
which we have mentioned in Remark [314. Surely it is also possible to use the 
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bounding function Xf instead of Vf in the method of quantified relations directly; 
the alternative Steps 1' and 2' are introduced in Remark |4l2. 

Step 3 (choose t) . We aim at a result that is valid for floating-point arithmetic 
although we base the analysis on real arithmetic (see Section [5|). We choosa^l 
t G (0,1) and define Rt-y as the normal sized region of uncertainty. Due to The- 
orem [U the probability that a random point x g Us{xJg lies inside of Rfyixjis 
is smaller than the probability that a random point x S Us{x) lies inside of 
R.y{x). Consequently, if a randomly chosen point lies outside of the augmented 
region of uncertainty with probability p, it lies outside of the normal sized region 
of uncertainty with probability at least p. Our next objective is to guarantee a 
floating-point safe evaluation outside of the normal sized region of uncertainty. 

Step 4 (define ip). Now we want to determine the minimum absolute value 
outside of the region of uncertainty Rtj{x). We have proven in Lemma [1] that a 
positive minimum exists. Because / is value-suitable, we can use the bounding 
function iff for its determination (see Definition I14[). That means, we consider 

f{p) -^Vfit-lip))- 

Step 5 (define Lgafc)- So far we have fixed the region of uncertainty and have 
determined the minimum absolute value outside of this region. Now we can use 
the safety-condition from Definition [11] to determine a precision Lgafo which im- 
plies fp-safe evaluations outside of Rtj- That means, we want that Formula (jlip 
is valid for every L G N with L > igafe- Again we use the property that / is 
analyzable and use the inverse of the fp-safety bound S^f r in Definition [15] to 
deduce the precision from the minimum absolute value f{p) as 

isafc(p) = \sr^,f (^/ {t ■ v-^ (£, (p))) ) j . (24) 

Step 6 (define igrid and Lf). We numerate the component functions of vl 
in the way vl (e) = (z/j~ (e), . . . , z/^T (e)). Then we deduce the bound Lgiid from 
Formula (jM]) and Formula (|23]) in the way 



^^xiAxP) • — ^max -L 



log2 min{i, 1 - i} • min v^ ^{e^{p)) 



l<i<k 



(25) 



Finally we define the precision function Lf (p) pointwise as 

Lf{p) := max{Lsafo(p), igrid(p)} ■ (26) 

Due to the used estimates, any precision L € N with L > Lf{p) is a solution. D 

Remark 4- We add some remarks on the theorem above. 

1. It is important to see that Lgafe is derived from the volume of i?/ and 
is based on the region- and safety condition in Definition [TT] whereas Lg^id is 



^'^ The analysis works for any choice. However, finding the best choice is an optimization 
problem. 
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derived from the narrowest width of Rf and is based on the grid unit condition 
in Section Ism Of course, Lf{p) must be large enough to fulfill both constraints. 
2. As we have seen, we can also use the function Xf to define the region- 
suitability in Definition [T31 Therefore we can modify the first two steps of the 
method of quantified relations as follows: 

Step 1' (define e^). Instead of Step 1, we define a bounding function s^{p) on 
the volume of the complement of Rf from the given success probability p. That 
means, we replace Formula (|22|) with 



£xip) -^P- KUs) 



p- 



n(2'^» 



Step 2' (define 7). Then we can determine 7(p) with the inverse of the bounding 
function Xf- That means, we replace Formula (j23p with 

l{p) ■=Xj\£xiP)) e ^-line 
which finally changes Formula ([M)) into 



^safc 



(P) 



S: 



inf/ 



[ipf{t-xjH£xiP)) 



We make the observation that these changes do not affect the correctness of the 
method of quantified relations. 

3. It is important to see that the method of quantified relations is absolutely 
independent of the derivation of the bounding functions which are associated 
with the necessary suitability properties. Especially in Step 2, 7 is determined 
solely by means of the function v~^. We illustrate this generality with the ex- 
amples in Figure [TT] The three pictures show different regions of uncertainty 



27 



r27 




27 



(a) (b) (c) 

Fig. 11. Visualization of v^^{eu) in Step 2 of the method of quantified relations. 



for the same critical set and the same volume e,y. This is because the region of 
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uncertainties result from different functions i/^^. We could say that the function 
v~^ "knows" how to distribute the region of uncertainty around the critical set 
because of its definition in the first stage of the analysis. For example: (a) as 
local neighborhoods, (b) as axis-parallel stripes, or (c) as neighborhoods of local 
minima of / (the dashed line). (We remark that case (c) presumes that / is 
continuous.) Naturally, different functions v^^ lead to different values of 7 as 
is illustrated in the pictures. Be aware that the method of quantified relations 
itself is absolutely independent of the derivation of ly and especially independent 
of the approach by which i/ is derived. (We present three different approaches 
soon.) 

4. If / is analyzable and ipf invertible, we can also derive the success proba- 
biUty p from a precision L. We observe that the function e^ in Formula (|22p is 
always invertible. Therefore we can transform Formula (|24|) and ([25| into 



pUL):^e-'(^,yf(^yipj'iSi,,tf{L)) 






iin{i, 1 - t} 

respectively, where v~^ is the least growing component function of v^ and 
r^* is the inversion of v^^ . This leads to the (preliminary) probability function 
p/:N^(0,l), 

Pf{L) ■=mm{piai{L),Pgrid{L)} 

for parameter t e (0, 1). We develop the final version of the probability function 
in Section Fl2.2l Self-evidently we can also derive appropriate bounding functions 
for X instead of v (see Remark 2). O 

7.2 Example 

To get familiar with the usage of the method of quantified relations, we give a 
detailed application in the proof of the following lemma. 

Lemma 5. Let f be a univariate polynomial of degree d as shown in For- 
mula il9\} and let {f,k, A,S,ema.x, r-lme,t) be a predicate description. Then we 
obtain for f: 

isafc(p) :- \-d\og2{l-p) + Cul (27) 

where 

_, (d + 2) ■ maxi<,<rf |a,| ■ 2^"'°''('^+i)+i 
'" •" ^^' \a4 ■ {tS/dr 

Proof. The polynomial / is analyzable because of Lemma |4l Therefore we can 
determine Lsafe with the first 5 steps of the method of quantified relations (see 
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Theorem [2]) . 

Step 1: Since the perturbation area Us{x) is an interval of length 26, the region 

of uncertainty has a volume of at most 

e,{p):=2Sil-p). 

Step 2: Next we deduce 7 from the inverse of the function in Formula (PU)) . that 
means, from vj^le) = ^. We obtain 

7(p) := ., (sAp)) = ^^ = -^■ 

Step 3: We choose t G (0, 1). 

Step 4: Due to Formula (PT|) . the absolute value of / outside of the region of 

uncertainty is lower-bounded by the function 

ftsa-p) 



\ad\ 



\ d 



Step 5: A fp-safety bound 5inf / is provided by Corollary [3] in Formula ([5(H) . The 
inverse of this function at ip{p) is 

^_i , , ,, , (d + 2)-maxi<,<<i|a,|-2'^— ('^+i)+i 
S^nifMp)) = log2 -^^ • 

Due to Formula ([M)) . this leads to 

isafe(p) := SrJ^{(p{p)) 

(d + 2) ■ maxi<,<rf \a,\ ■ 2^"^°^('^+i)+i 

°^' \ad\-mi~p)/dr 

{d + 2) ■ maxi<i<d \ai\ ■ 2" 



-dlog2(l-p) + log 



,(d+l) + l' 



W\ ■ {t5/dY 
as was claimed in the lemma. D 

Since the formula for Lsatcip) in the lemma above looks rather complicated, we 
interpret it here. We observe that Cu is a constant because it is defined only 
by constants: The degree d and the coefficients at are defined by /, and the 
parameters emax and S are given by the input. We make the asymptotic behavior 
Lssifcip) = O {—d\og2{l — p)) for p — >■ 1 explicit in the following corollary: We 
show that d additional bits of the precision are sufficient to halve the failure 
probability. 

Corollary 1. Let f be a univariate polynomial of degree d and let Lsatc : (0, 1) — ^ 
N be the precision function in Formula \21^ . Then 

Lsaic -Tr~ ] = -^safc(p) + d. 



General Analysis Tool Box for Controlled Perturbation 
Proof. Due to Formula ()27|) we have: 



37 



L 



safe 



1+p 



-d\og2 1- 



l+p 



-d\og2 



l-p 



= M(log2(l-p)-log2(2)) + c„l 
= \-dlog2{l~p) + d + Cu] 
= [-dlog2(l -p) + Cu]+d 

= isafo(p) +d 

Because d is a natural number, we can pull it out of the brackets. 



D 



8 The Direct Approach Using Estimates 

This approach derives the bounding functions which are associated with region- 
and value-suitability in the first stage of the analysis (see Figure [T^ . It is par- 
tially based on the geometric interpretation of the function / at hand. More 
precisely, it presumes that the critical set of / is embedded in geometric ob- 
jects for which we know simple mathematical descriptions (e.g., lines, circles, 
etc.). The derivation of bounds from geometric interpretations is also presented 
in [45146) . In Section I5TT] we explain the derivation of the bounds. In Section 
we show some examples. 




region-s. value-s. 



Fig. 12. The direct approach and its interface. 



8.1 Presentation 

The steps of the direct approach are summarized in Table [H To facilitate the 
presentation of the geometric interpretation, we assume that the function / is 
continuous everywhere and that we do not allow any exceptional points. Then 
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the critical set of / equals the zero set of /. Hence the region of uncertainty is 
an environment of the zero set in this case. We define the region of uncertainty 
R^ as it is defined in Formula ([8]). In the first step, we choose P-line which is 
the domain of 7. Or in other words, we choose 7. Sometimes, certain choices of 
T^-line may be more useful than others, e.g., cubic environments where 7^ = 7^ 
for all 1 < i,j < k. 

Now assume that we have chosen P-line. In the second step, we estimate (an 
upper bound on) the volume of the region of uncertainty R^ by a function Vf (7) 
for 7 € _r-line. In the direct approach, we hope that a geometric interpretation 
of the zero set supports the estimation. For that purpose it would be helpful if 
the region of uncertainty is embedded in a line, a circle, or any other geometric 
structure that we can easily describe mathematically. 

Assume further that we have fixed the bound Vf. In the third step, we need 
to determine a function 1^/(7) on the minimum absolute value of / outside of 
Rj. This is the most difficult step in the direct approach: Although geometric 
interpretation may be helpful in the second step, mathematical considerations are 
necessary to derive iff. Therefore we hope that ipf is "obvious" enough to get 
guessed. If there is no chance to guess (/?/, we need to try one of the alternative 
approaches of the next sections, that means, the bottom-up approach or the 
top-down approach. 



Step 1: choose the set .T-line (define 7) 

Step 2: estimate i^fij) in dependence on .T-Iine (define i/f) 

Step 3: estimate V'/(7) in dependence on Vf{'y) (define ipj) 



Table 2. Instructions for performing the direct approach. 



8.2 Examples 

We present two examples that use the direct approach to derive the bounds for 
the region-value-suitability. 

Example 7. We consider the in_box predicate in the plane. Let u and v be two 
opposite vertices of the box and let q be the query point. Then in_box(u, v,q) is 
decided by the sign of the function 

f{u,v,q) = f{u^,Uy,v^,Vy,qx,qy) 

:= max{((7j; - u^) {qx - v^) , (qy - Uy) [qy - Vy)) . (28) 

The function is negative if x lies inside of the box, it is zero if x lies in the 
boundary, and it is positive if x lies outside of the box. 

Step 1: We choose an arbitrary 7 = (71,^ , %^ , %^ , %^ , %^ , 7<2„ ) e M.%. 
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Step 2: The box is defined by u and v. This fact is true independent of the 
choices for 7„_^ , 7„ , 7„_^ and 7t, . We observe that the largest box inside of the 
perturbation area Us is the boundary of Us itself. This observation leads to the 
upper bound 

on the volume of the region of uncertainty if we take the horizontal distance 7,^ 
and the vertical distance ^q^ from the boundary of the box into account. That 
means, Vf depends on the distances 7^^ and 7^ of the query point q from the 
zero set. 

Step 3: The evaluation of Formula (|28p at query points where qx has distance 
7^^ from Ux or Vx, and qy has distance 7^ from Uy or Uy, leads to 

<P/(7) := min {|7g, - 7gx ' l«x - U:.|| , 7g„ " 7g« ' \vy - Wyl } ■ 
The derived bounds fulfill the desired properties. Q 

Example 8. We consider the in_circle predicate in the plane. Let c be the cen- 
ter of the circle, let r > be its radius, and let q be the query point. Then 
in_circle(c, r, q) is decided by the sign of the function 

f{c,r,q) = f{cx,Cy,r,qx,qy) 

:= [Qx - Cx) + {qy - Cy) - r^ (29) 

The function is negative if x lies inside of the circle, it is zero if x lies on the 
circle, and it is positive if x lies outside of the circle. 

Step 1: We choose 7 = (7c^,7c„, >,%,,% J e M.i.Q where %^ = %^. In 
addition, we choose 7r < r for simplicity. 

Step 2: The largest circle that fits into the perturbation area Us has radius 
imii{6x,Sy}. If we intersect any larger circle with Us, the total length of the 
circular arcs inside of Us cannot be larger than 2tt ■ unn{Sx,Sy}. This bounds 
the total length of the zero set. 

Now we define the region of uncertainty by spherical environments: The re- 
gion of uncertainty is the union of open discs of radius -fq^ which are located at 
the zeros. Then the width of the region of uncertainty is given by the diameter 
of the discs, i.e., by 27^^. As a consequence, 

'^/(7) = t^/(7c,,7c„,7r,7?x,7?J 
■.^4:TTjq^ ■ min {Sx,Sy} 

is an upper bound on the volume of Rs. That means, Vf depends on the distance 
jq^ of the query point q from the zero set. 

Step 3: The absolute value of Formula (|29|) is minimal if the query point q 
lies inside of the circle and has distance 7^^ from it. This leads to 

ffil) ■= (r ~ IqS - r"^ 

= Iq. ilq. - 2r) . 
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The derived bounds fulfill the desired properties. 



o 



9 The Bottom-up Approach Using Calculation Rules 



In the first stage of the analysis, this approach derives the bounding functions 
which are associated with the region- and value-suitability (see Figure [13]). We 
can apply this approach to certain composed functions. That means, if / is com- 
posed by g and h, we can derive the bounds for / from the bounds for g and h 
under certain conditions. We present some mathematical constructs which pre- 
serve the region- and value-suitability and introduce useful calculation rules for 
their bounds. Namely we introduce the lower-bounding rule in Section 19. 1[ the 
product rule in Section 19.21 and the min rule and max rule in Section 19.31 We 
point to a general way to formulate rules in Section 19.41 The list of rules is by 
far not complete. Nevertheless, they are already sufficient to derive the bound- 
ing functions for multivariate polynomials as we show in Section 19.51 With the 
bottom-up approach we present an entirely new approach to derive the bounding 
functions for the region- suitability and value- suitability. Furthermore we present 
a new way to analyze multivariate polynomials. 




Fig. 13. The bottom-up approach and its interface. 



9.1 Lower-bounding Rule 

Our first rule states that every function is region- value-suitable if there is a lower 
bounding function which is region-value-suitable. Note that there are no further 
restrictions on /. 

Theorem 3 (lower bound). Let (/, fc, A,(5, Cmax, -^-lme,i) be a predicate de- 
scription. If there is a region-value-suitable function g : Us{A) — >■ R and c G M>o 
where 



\fix)\>c\g{x)\, 



(30) 
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then f is also region-value-suitable with the following bounding functions: 

If f is in addition safety-suitable, f is analyzable. 

Proof. Part 1 (region-suitable). Let (ai)igN be a sequence in the set Us{x) with 
lmii-).oo f (oi) = 0. Then Formula (PH)) implies that Mmi^oo g{i^i) = 0. That 
means, critical points of / are critical points of g. Therefore we set Cf{x) := 
Cg{x). As a consequence the region bound Vfi"^) '■= i^gil) i^ sufficient for the 
region-suitability of /. 

Part 2 (value-suitable). Because we set Gf{x) = Cg{x), we have Rf{x) = 
Rg{x). Due to Formula (pO)) . the minimum absolute value of / outside of the 
region of uncertainty Rf{x) is bounded by the minimum absolute value of g 
outside of the (same) region of uncertainty Rg{x). Hence the bound 1^9/(7) = 
c(pg{'j) is sufficient for the value-suitability of /. 

Part 3 (analyzable). Trivial. D 

9.2 Product Rule 

The next rule states that the product of region- value-suitable functions is also 
region- value-suitable. Furthermore, we show how to derive appropriate bounds. 

Theorem 4 (product). Let {f,k,AgxAgfixAfi,S,emax,r-\me,t) be a predicate 

description where Ag C W , Agh C M^"-' and Ah C M'"^^ for j £ No and ^, fc G N 
with j < £ < k. If there are two region-value-suitable functions 

9 ■■ U(s,,...,5e){Ag X Agh) -^R. 
h: ty^s,^,^...M{Agh X A,,)^K 

such that 

f{xi,...,Xk) = g{xi,...,xi) ■ h{xj+i,...,Xk), 

then f is also region-value-suitable with the following bounding functions: 

Vfh) -^fgill, ■■■,!£) ■^h{lj + l,---,lk) (31) 

^fil) :=niin<^ H^^*^*)' 

fc ■'1 

i^g{lu...n,)X{{26i) +VH{ij+i,...,ik)X{{'25^. (32) 

i=l+l 1=1 ) 

Furthermore, if j — i, we can replace the last equation by the tighter bound 

Xfil) :=Xg(7i,---,7j) ■Xhhj+i,---,lk)- (33) 

/// is in addition safety- suitable, f is analyzable (independent of j ~ £). 
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Rh,{je+i,....ik){Ah) 




Xe+l, ■■■,Xf: 



TT 



A„ 



^g-di, ■■■,i3)y SI 



X\^ ...^Xj 



Fig. 14. Case j — t. The (dark shaded) complement of Rf is the Cartesian 
product of the complement of Rg and the complement of Rh- 



Proof. Part 1 (value-suitable). Let x e Us{x) such that (xi, . . . , xi) does not lie 
in the region of uncertaintjt^ of 5, that means 

{xi,...,xt) ^i?g^(^j^...^^,)(Si,...,Xf), (34) 

and that (xj+i, . . . ,Xk) does not lie in the region of uncertainty of /i, that means 

{xj+i,. ..,Xk)<^ Ri,xij+u---,ik)i^j+i^- ■ ■ ' ^k)- (35) 

Because g and h are value-suitable, we obtain: 

1/(2^)1 = \9{xi,-.-,Xi)\ ■ \h{xj+i,...,Xk)\ 
> (^g(7i,...,7<>) ■iph{jj+i,...,'yk) 

on the absolute value of /. 

Part 2 (region-suitable). Because of the argumentation above, we must con- 
struct the region of uncertainty Rf such that x € M''' lies outside of Rf only if 
the conditions in Formula (|M)) and psp are fulfilled. 

Case j = £. Then the arguments of (7 and h are disjoint. This case is illustrated 
in Figure [Ml We observe that for each point {xi,. . . ,Xj) outside of Rg and 
each point (x^+i, . . . ,Xfc) outside of Rh their concatenation x lies outside of 
Rf . Therefore we determine the volume of the complement of Rf inside of the 
perturbation area as 



^^ (UfAx) \ Rfn(^)) = M {Ug,{s^,...,s,)ixl,. ■ . , Xj) 



>)) 



^^{Uh.^ 



iSi^ 



^s^)ixi+i,...,xk) 



\-R/i,(7, + i,...,7fc)(a;f+l, • ■ • , Xk)) ■ 



^* To avoid confusion, we occasionally add the function name to the index of the region 
of uncertainty or the perturbation area within the proof, e.g. Rf,-y and Uf^s- 
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Rh,(l, + l,...,lk)i'^h X Agh) 




■^ 1 1 . • . , 2- J 



Xj^l, ..., Xi 



Rg,{iu-,ie)i^g ^ ^sft) 



Fig. 15. Case j < £: The (light shaded) region of uncertainty Rf is the union of 
two Cartesian products. 



As a consequence Formula ([33| is true. 

Case j < L In contrast to the discussion above, g and h share the arguments 
Xj+i, . . . ^Xi. This case is illustrated in Figure fTSl We denote the projection of 
the first j (respectively, the last k — £) coordinates by 7r<j (respectively, 7r>^). In 
this case, Formula ([33)) does not have to be true. That is why we define Rf as 

RfA^) '■= ■Rg,(7i,...,7«)(^l:---7S/!) X Tr>i{Us{x)) 

Utt<j{Us{x)) X Rh^(^^.^^^,,,^yi^){xj+i, . . . ,Xk). 

Now we can upper-bound the volume of Rf by means of Vg and Vh which leads 
immediately to the sum in the last line of Formula ([5^ . Of course, the volume 
of the region of uncertainty is bounded by the volume of the perturbation area 
which justifies the first line of Formula (|5^. This finishes the proof. D 



9.3 Min Rule, Max Rule 



The next two rules state that the minimum and maximum of finitely many 
region-value-suitable functions are also region-value-suitable. Furthermore, we 
show how to derive appropriate bounds. 

Theorem 5 (min, max). Let g and h be two region-value-suitable functions 
as defined in Theorem pi Then the functions 

/min, /max : Us{Ag X Agh X A,,) -^ M, 

/min(2;i, ■■■,Xk) ■■= m.in{g{xi, ..., Xi), h{xj+i, ..., Xk)} 
/max(a:i, ...,Xk) := max{g(a;i, . . . , xi), h{xj+i, . . . , Xk)} 
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are region-value-suitable with bounds V3/„,i„ and Vf^^^ for /min oi'^id bounds (ff_^ 
and Vf-^^^ for /max where 



Vf„„„ (7) 

<^/.„ax(7) 



min{.^g(7i, . . . , 7^), (^,,(7^+1, . . . ,7fc)} 
max{<^g(7i, . . .,ji),iph{jj+i, . . . ,7fc)} (36) 

^/(7) r^ee Formula O^)). 



Furthermore, if j — £, we can replace i^/,„i„(7) and I'f^^^i'^) by the tighter bounds 

X/„i„(7) := X/„ax(7) := Xs(7i, • ■ • ,7j) ' X/i(7j+i, • ■ • ,7fc)- 

If /min (respectively fmax) is in addition safety- suitable, it is also analyzable 
(independent of j — l). 

Proof. The line of argumentation follows exactly the proof of Theorem |4l D 

9.4 General Rule 

We do not claim that the list of rules is complete. On the contrary, we suggest 
that the approach may be extended by further rules. We emphasize that the 
bottom-up approach is constructive: We build new region-value-suitable func- 
tions from already proven region-value-suitable functions. The argumentation 
always follows the proof of the product rule, that means, the compound of g 
and h inherits the desired property from g and h: (a) outside of the union of 
the regions of uncertainty for shared arguments, and (b) inside of the Cartesian 
product of the complement of the regions of uncertainty for disjoint arguments 
(see Figure [HI) . 

We remark that, if we want to derive the bounds for a specific function /, we 
first need to determine the parse tree of / according to the known rules; this may 
be a non-obvious task in general. The instructions of the bottom-up approach 
are summed up in the following table. 



Step 1: determine parse tree according to the rules 

Step 2: determine bounds bottom-up according to the parse tree 



Table 3. Instructions for performing the bottom- up approach. 



9.5 Example: Multivariate Polynomials 

It is important to see that the rules lead to a generic approach to construct 
entire classes of region-value-suitable functions. In the following we use this ap- 
proach to analyze multivariate polynomials. (A different way to analyze multi- 
variate polynomials was presented before in [46].) So far we know that univariate 
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polynomials are region-value-suitable. Now we show how we transfer the region- 
value-suitability property of {k— l)-variate polynomials to /c-variate polynomials 
by means of the product rule and the lower bound rule. Moreover, we completely 
analyze fc-variate polynomials afterwards. 

Preparation 

We prepare the analysis of multivariate polynomials with further definitions. Let 
fc € N. For /3 e Nq and a; € M'' we define x'' as the term x^^ := x'^^ ■ . . . ■ x^^ . 

Next we define the reverse lexicographic ordeio on fc-tuples. Let a, /3 e Nq. 
Then we define a ^ /3 if and only if there is^e{l,...,fc} such that aj — /3j for 
all £ < j < k and ag < /?f . 

In addition we denote by 7'(/c) the set of bijective functions cr : {1, . . . , fc} — >■ 
{1, . . . , fc}. In other words, V{k) is the set of permutationCJ of {1, . . . , fc}. 

Now let a, (3 G Nq and let a <E V{k). We define the permutation a of a 
tuple a = (ai, . . . , Uk) by (T{a) := (a(T-i(i), . . . , acr-i(fc))- Further we define the 
reverse lexicographic order after the permutation a as 

a<c!^ :<^=> a{a)<a[fi). 

Let Z C N§ be finite. We denote the set of largest elements in I by 

2^max := {/3 e I : there is ct G 7^(fc) such that a^o-/3 for all a € I, a 7^ /?} . 

We observe that there may be /3 e I which do not belong to Imax- We observe 
further that different permutations may lead to the same local maximum. For 
each /3 e 2,„ax we collect these permutations in the set 

Vsi(k):={G^V(k) : /3 = max^^I}. 

The region- and value-suitability 

We prove that all multivariate polynomials are region-value-suitable. 

Lemma 6. Let (/, fc, A, (5, e,nax, ^-line, t) he a predicate description for the k- 
variate polynomial (k > 2) 

where X C Nq is finite and a^ G M^^o for all l E X. Then f is region-value-suitable. 
There are bounding functions for every /3 € X,„ax-' 

Vfh) := |a/3| -7^ 

k 



^^ For lexicographic order see Gormen et al. [11] . 
"^^ Algebra: For permutation see Lamprecht [41] . 
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Proof. Preparing consideration. Let /3 e 2,„ax and let <t e Vp{k). Once chosen, 
P and a are fixed in this proof. Because of the reverse lexicographic order, the 
maximal exponent of Xo.(fc) in f{x) is /3a-(k)- Therefore we can write / as 

/(a;) = &/3,(^,, ■ a;^"fc)' + &/j„(,)-i • 2;^^fc'i'" + ■ • • + foi • a;<T(fc) + &o 

where the &i(a;o-(i), ■ . ■ , a;<j(fc-i)) are (fc — l)-variate polynomials for < i < I3a{k)- 
For a moment we consider the complex continuation of the polynomial /, i.e. 
/ G C[z]. Furthermore we assuma^^ that the value of 6^^,^, is not zero. Then 
there are (icr(k) (not necessarily distinct) functions Q : C'°~^ — >■ C such that we 
can write / in the way 

/5<t(A:) 

i=l 

We remark that if we consider / as a polynomial in Zcr(/c) with parameterized 
coefficients 6.;, then the functions C,i define the parameterized roots. Even if 
the location of the roots is variable, the total number of the roots is definitely 
bounded by /3^(^k)- In case that Z£r(fc) has a distance of at least Ja(k) to the values 
Q , we can lower bound the absolute value of / by 

1/(2)1 > |fo/j„(,) (z<,(i),...,z^(fc„i))| -7^^^)' (37) 

Therefore this bound is especially true for real arguments. Before we end the 
consideration in the complex space, we add a remark. Sagraloff et al. [50146) 
suggested a way to improve this estimate: While preserving the total region- 
bound iff, it is possible to redistribute the region of uncertainty around the 
zeros of / in a way where the amount of the individual region-contribution 
per zero may differ; they have shown that a certain redistribution improves the 
estimate in Formula (|37|) . Next we use mathematical induction to prove that / 
is region- value-suitable. 

Part 1 (basis). Let j = 1. Due to Lemma |4] univariate polynomials are region- 
value-suitable. 

Part 2 (inductive step). Let I < j < k. We define the function gj as 

Since gj is a polynomial in j — 1 variables, gj is region- value-suitable by induction. 
Because of Theorem [3J the function \gj\ is region- value-suitable with the same 
bounds. Furthermore, we define the functions 



We discuss the assumption in Part 2 of the proof. 
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Obviously hj is region-value-suitable. We have \fj\ > \gj\ ■ hj. Then the product 
\gj\ ■ hj is also region- value-suitable because of Theorem SI Be aware that the 
construction of the estimate in Formula p7|) is based on the assumption that the 
coefficient 6^^, ., of fj is not zero. We observe that this is only guaranteed outside 
of the region of uncertainty of gj . We observe further that the construction in the 
proof of Theorem [3] preserves the region of uncertainty, that means, Rg^ C Rj^. 
Therefore the assumption is justified and we can conclude that fj is region- value- 
suitable. It remains to show that the claimed bounding functions tpj and i^f are 
true. 

Part 3 {(fif). The basis j — I follows from Lemma |4j 

fh (7<.(i)) := |a/3|-7^^i)'' 

(Be aware that the real coefficient ap is contained in every gj for 1 < j < k.) 
Now let 1 < j < fc. For the induction step we need the following observation: 
Because of the reverse lexicographic order, the maximal exponent of ^^.(j-i) in 
the parameterized coefficient 6/3^j^.j(xct(i), . . . ,a;o-(j_i)) is Paij-i)- We have 



ff, (7<T(i),---,7a(j)) := la/sl-H'^i 



3 

/3<t(£) 

e=i 



The case j = k proves the claim. 

Part 4 (x/)- The basis j — 1 follows from Lemma H) 

X/i {la(i)) := 2 ((5^(1) - /3^(i)7<t(i)) • 

Now let 1 < j < fc. Because the argument list of gj and hj are disjoint, we apply 
Formula ([55)) and obtain 

j 
Xf, (7<t(i), • ■ • ,7<T(i)) := n 2 (<^'^W " P'^W"f'^w) ■ 

The case j = k proves the claim. D 

The analysis 

Now we prove the analyzability of multivariate polynomials and apply the ap- 
proach of quantified relations to derive a precision function. 

Theorem 6 (multivariate polynomial). Let f be a k-variate polynomial 
(k > 2) of total degree d as defined in Lemma\^ and let (/, k, A, S, emax, -T-hne, t) 
be a predicate description for f with cubical neighborhoods Si — Sj and ji = jj 
for all I < i,j < k. Then f is analyzable. Furthermore, we obtain the bounding 
function 

Ls.Up) > r-/3* log2 (1 - yp) + Cm(/3)1 (38) 
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where 

(d + 1 + rioga IJID • \I\ ■ max,gx |a,J ■ 2^— -^+^'+1 ■ $P' 

c,„(/3) := log2 1 I ... ./3» • 

\a^\- {tSiY 

for P e Imax flTjrf /3 := niaxi<.,<fe jSi and /3* := X]i=i ft- 

We observe that $ < d and /3* < d. Note that the choice of /3 G Xmax is an 
optimization problem: We suggest to choose /? such that the constant (3* in the 
asymptotic bound Lsafe(p) = O (— /3* log(l — \/p)) for p — ?► 1 is smaU. 



Proof. Part 1 (analyzable). Let /3 G Xmax- Due to Lemma [SI / is region- value- 
suitable. In addition Corollary|3]provides a fp-safety bound 5'inf /(i) for fc-variate 
polynomials in Formula (|5T|) . The function S'inf/(L) converges to zero and is 
invertible. It follows that / is safety-suitable and thus analyzable. 

Part 2 (analysis). We apply the approach of quantified relations. Let (5i, 71 G 
R>o and Si = Si and 71 — ji for all 1 < i < fc. In addition let /3 := maxi<j<fc l3i. 
Step 1': At first we derive an upper bound e^ on the volume of the complement 
of the region of uncertainty according to the precision p. Naturally we obtain 



i=l 

Step 2': Because of the cubical neighborhood we redefine 

X/(7):=2"(5i-/37i)'- 
Then we use e^ and Xf to determine 71: 



^ 



^ 



/3 

Step 3: Since 7 represents the augmented region of uncertainty, the normal sized 
region is induced by tj. 



Xfil) 


= ex(p) 


(<5i-/37i)' 


= p2''S'l 


(-^r 


= P 


1-%- 


= Vp 


71 (p) : 


Si (1 - ^) 
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Step 4: Now we fix the bound ipf on the absolute value and set 

"piv) = ffiti{p)) 

= M ■ {tl{p)f 

k 

= |a/3|-n(*7.b)f 
1=1 

= \<^e\^^t^l<.p))"' 

where/3*:=EtiA- 

Step 5: To derive the bound on the precision, we consider the inverse of For- 
mula (1511) which is 



Sr^Mp)) - 10" ^' ^ ' "^ ^'"'' '^'^ ^ ■ '^' ■ "" '"^' ■ '""^''' 



log; 



fip) 

{d+l+ riog2 \I\^ ) • |Z| • max |aj • 2-»-'^+i • (2/3)^* 



|a;3|.(tJi(l-^)r 
-riog2(l-^) 

, (d+ 1 + riog^ IJID ■ |J| ■ max|aj ■ 2^— -^+1 ■ (2^)^' 
\a,\ ■ {tS,f 



Finally the claim follows from Lsafc(p) '■— S^^lf{(p{p)) 



D 



The formula for isafe(p) in the lemma above looks rather complicated. Therefore 
we study the asymptotic behavior Lsaic{p) — O (— dlog(l — ^/p)) for p — >• 1 in 
the following corollary: We show that "slightly" more than d additional bits of 
the precision are sufficient to halve the failure probability. 

Corollary 2. Let f be a k-variate polynomial (k > 2) of total degree d and let 
Lsaic ■ (0, 1) — 7- N &e the precision function in Formula i38\) . Then 

isafc (^^) < LsMp) + rA/3*l 



where /3* — J2i=i Pi ^ d and 



A := log2 ' 
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Proof. All quantities are as defined in Theorem [6l We obtain: 



L. 



safe 



-/?* I0g2 1 - 



l+P 



Cm(^) 



-/3* l0g2 (1 - ^) . — 



^fP 



Cm(/3) 



< isafc(p) 

This proves the claim. 






Cm(/3) 



/3* log2 



D 



10 The Top-down Approach Using Replacements 

This approach derives the bounding functions which are associated with region- 
and value-suitability in the first stage of the analysis (see Figure [T5)) . In the 
bottom-up approach we consider a sequence of functions which is incrementally 
built-up from simple functions and ends up at the function / under consideration. 
In contrast to that we now construct a sequence of functions top-down that begins 
with / and leads to a (different) sequence by dealing with the arguments of / 
coordinatewise. However, the top-down approach works in two phases: In the 
first phase we just derive the auxiliary functions and in the second phase we 
determine the bounds for the region- and value-suitability bottom-up. That is 
why we call this approach also pseudo-top-down. 






i3 o 



m a 



^ 



^ 



top-down 
approach 



^ 



P 



region-s. value-s. 



Fig. 16. The top-down approach and its interface. 



We remark that the idea of developing a top-down approach is not new: 
The idea was first introduced by Mehlhorn et al. [45] and their journal article 
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appeared in |46j . As opposed to previous publications, our top-down approach 
is different for several reasons: It is designed to fit to the method of quantified 
relations and it is based on our general conditions to analyze functions (we do 
not need auxiliary constructions like exceptional points, continuity or a finite 
zero set). 

New definitions are introduced in Section 110.11 We define the basic idea of a 
replacement in Section 110.21 Afterwards we sliow how we can apply a sequence 
of replacements to the function under consideration in Section [10.3l We present 
the top-down approach to derive the bounding functions in Section 110.41 Next 
we consider an example in Section 110.51 For clarity, we finally answer selected 
questions in Section [10.61 

10.1 Definitions 

We prepare the presentation with various definitions and begin with a projection. 
Let i,k€N with i < k, let / := {1, . . . , fc} and let 

s :{!,...,£} -^ I 

be an injective mapping. Then we define the projection 

TTs{x) := (2:^(1),..., a;s(f)) . 
In a natural way we extend the projection to sets X C M*'' by 

TTs{X) -.^{TTsix) : Xe X}. 

Since we often make use of the projection tt in the context of an index i d I, we 
define the following abbreviations in their obvious meaning: 



TTj^XJ 


= [Xi), 






<z{x) 


= (X1,.. 


,2^4-1), 




>z{x) 


= (2;»+l, 


■■,Xk), 




M^) 


= (X1,.. 


,X^^l,Xi+i,. 


■,Xk) 



We remark on this contextual definitions that the greatest index k is always 
given implicitly by the set / of indices. The usage of such orthogonal projections 
leads to the following condition on the set A of projected inputs: It is a necessary 
condition in the top-down analysis that A as well as the perturbation area Us{A) 
are closed axis-parallel boxes without holes. 

We briefiy motivate the next notation: Assume that the function / has a 
fc-ary argument. During the analysis of /, we often bind fc — 1 of these variables 
to values given in a (fc — l)-tuple, say £,. We do this to study the local behavior 
of / in dependence on a single free argument, say Xi. 

Definition 17 (free-variable star). Let (/, fc, A, (5, e,nax, -T-box, t) be a predi- 
cate description where A is an axis-parallel box without holes. In addition let I := 
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{1, . . . , fc} and let « G /. For each {k — \)-tuple ^ :— {S,i, ■ ■ ■ , £,i~i, Ci+ii • • • : Cfc) S 
7r^i(j4) we define the function fP{xi) as 

Xi 1-^ /^'(xj) = /(a;i,...,a;fe)|a;j=5j vje/, j#j = /(Ci, • • • ,6-i,a;j,C*+i, • • • ,Cfc)- 

In other words, we consider fP as the function / where Xi is a free variable 
and aU remaining variables are bound to the tuple ^. We illustrate the definition 
with an example and consider the function /(xi, X2, xa) :— 3x^ + 2x2 — 4x3. Then 
/(*4^y, is a function in X2 and we have 

/(4,7)(2^2) = /(a;i,X2,X3)|a;i=4AX3=7 

= 3 • 4^ + 2x^ - 4 • 7 = 2x^ - 20. 

We sometimes do not attach the tuple ^ to /** to relieve the reading if ^ is 
uniquely defined by the context. 

Once we focus on the function fP in one variable, say x^, we are interested 
in its induced critical set. Surely this critical set depends on the choice of ^. We 
have seen that the region-suitability is a necessary condition for the analyzability 
of the function. Therefore the next definition is used to mark those ^ for which 
fP is or is not region-suitable. 

Definition 18 (region-regularity). Let (/, fc, ^4,(5, emax, -^-box, t) be a predi- 
cate description where A is an axis-parallel box without holes. We call S^ G TT^i{A) 
region- regular if fP is region- suitable omri{A). Otherwise we call ^ non- region- 
regular. 

Finally we remark that the region-suitability of fP implies that the functions 
Vf,i and Xf'i exist. If i is fixed, there are families of functions fP (and hence 
families of functions i>fti and Xf*^) that depend on the region- regular ^. We 
examine these families in the next paragraph. 



10.2 Single Replacement 

From now on we consider the following setting: Let (/, A;,>1, (5, Cmaxj-T-box, i) 
be a predicate description where A is an axis-parallel box without holes and let 
I :— {1, . . . , k}. In addition we denote the domain of / by dom(/). 

We develop the top-down approach step-by-step. For a given index i G /, our 
first aim is to lower-bound the absolute value of / by a function g whose argument 
lists differ solely in the i-th position: While / depends on Xi G TTi{Us{A)), the 
function g depends on a new variable 7i G 7ri(-r-box). Hence we say that the 
construction of g is motivated by the replacement of Xi with 7^ in the argument 
fist of /. 

Now we present the construction of the function g for a fixed index i € L. We 
focus on the functions fP to study the local behavior of / in its i-th argument. 
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We are interested in tuples ^ e 7r^i(dom(/)) for which /f' is region-suitable. We 
collect these points in the set 

Xf^^ := {£, e 7r^j(doni(/)) : £, is region-regular} . 

To understand our interest in the set X/,i, we remind ourselves about the fol- 
lowing fact: For region-regular ^, open neighborhoods of the critical set Cf,i are 
guaranteed to exist for any given (arbitrarily small) volume. This is not true for 
non-region-regular points which therefore must belong to the critical set of the 
objective function. Next we define the objective function g. Let 

g : 7r<j(doni(/)) x 7ri(r-box) x 7r>i(dom(/)) -^ M>o, 

be the function with the pointwise definition 



: i^Xf^, 

(CI) (C2) 



n\^^) 



i e X^, 



(CI) : X, e^,(A) 

(C2) : X, eC7/..5,(S»)\%",^,(x,) 

for all ^ G 7r^i(dom(/)) and all 7^ £ tt,; (/^-box) . The domains dom(/) and dom(5) 
only differ in the i-th coordinate. Whenever ^ is non-region-regular, we set g 
to zero. (We remark that this is essential for the sequence of replacements in 
Section 110.31 since this handling triggers the exclusion of an open neighborhood 
of ^ — and not just the exclusion of the point ^ itself.) In case ^ is region-regular, 
we set g to the infimum of the absolute value of / outside of the region of 
uncertainty for the various xi. Note that we must consider the infimum in the 
definition of g in Formula (|39)) because |/|*| does not need to have a minimum. 
We do not assume that / is continuous or semi-continuous. 

Definition 19. We call the presented construction of the function g the func- 
tion resulting from the replacement of /'s argument Xi with 7^. We denote the 
replacement by rep(/, x^ — > 7^). 

We summarize the steps during the replacement of an argument of / and em- 
phasize the relation between the quantities: Let / be given. Then we begin with 
the consideration of the auxiliary function fT. We use it to determine the aux- 
iliary set of region- regular points Xf^i. To determine the function g afterwards, 
we examine fp again, but now only for the points in Xfj. 

In the proof of the analysis in Section 110.41 we use the statement that the 
replacement rep(/, x^ — > 7^) results in a positive function that lower bounds the 
absolute value of / in a certain sense. We formalize and prove this statement in 
the next lemma. 

Lemma 7. Let (/, fc. A, (5, Cmax, r'-box, t) be a predicate description where A is 
an axis-parallel box without holes, let I := {1, . . . , fc} and let i € I . Moreover, let 
g := rep(/, Xi — > 7^). Then we have 

1/(^1, . . . , ii-i,X^,^,+ i . . . , Cfc)l > ff(Cl, • ■ • , ^^-l,l^. ^^+l ...,&)> (40) 
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for all region-regular points ^ € Xf^i, for all ji G 7ri(F-box), for all Xi € T^i{A) 
and for all Xi G Uf*is.{xi) \ Rfti.y.{xi). 



Proof. The left unequation in Formula (j40l) follows immediately from, the con- 
struction of the function g = rep(/, x^ — > 7^) because we only consider points 
lying outside of the region of uncertainty Rf,i^^.(xi). 

To prove the right unequation in Formula (|40p . we assume that there is 
a region- regular ^ e Xj^i and 7.; S 7ri(r-box) such that the objective function 
ffl^i) • • • )?i-i)7i:6+i • • ■ :'?fc) = 0. This implics, for x^ £ 7ri(A), the existence of a 
sequence (aj)jgN in the area Uf-i^Sti^i) \ ^/", 71(^4) fo^ which limj^oo fPio-j) — 
0. Consequently a :— limj^oo Oj must belong to the critical set. Since the region 
of uncertainty Rf\.y- guarantees the exclusion of the open 7j-neighborhood of 
the critical set — which includes the open 7i-neighborhood of a — almost all points 
of the sequence (aj)jgN must also lie in Rfi.y.. This leads to a contradiction to 
the assumption and proves the claim. D 

We add the remark that the right unequation in Formula (j40p presumes that ^ 
is region-regular as is stated in the lemma. We obtain g = if Xf^i is the empty 
set. We continue with a simple example that illustrates the method to determine 
rep(/, Xi ^7i). 

Example 9. Let f{xi,X2) = x\ -\- x"^. Then / = {1, 2}. In addition let i = 2 and 
let A be an axis-parallel rectangle that contains the origin (0,0). We consider 
f^^ix2) ~ ^1 + xl- Since /*^ is region-suitable, this leads to X/^2 = 7''#2(^) = 
Tri{A). We obtain 



9(^1,12) := 



7I : a = o 

^i : otherwise. 



The critical set of g contains a single point in the case ^1 = and is empty in 
the other case. O 

We end this subsection with two observations. Firstly, although g{^i,'y2) > in 
the example above, the limit 

inf 9(^1,72) = 0. 

Secondly, if the lower-bounding function g is region-value-suitable, the function 
/ is also region- value-suitable because of Theorem [3l This observation is the 
driving force of the top-down approach. 

10.3 Sequence of Replacements 

So far we know how a variable Xi of the argument list of the function / under 
consideration can be replaced with a new variable 7^. The advantage of the 
new variable -fi is that it reflects the distance to the critical set, somehow. We 
announce that, opposed to xt, the variable 7^ is appropriate for the analysis. A 
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benefit of 7; is that it is not necessary to study the precise location of the critical 
set; the knowledge about the "width" of the critical set is sufficient. 

The idea behind the top-down approach is to apply the replacement pro- 
cedure k times in a row to replace all original arguments (a:i, . . . , Xfc) of / by 
the new substitutes (71, . . . ,7fc) G P-box. To get the presentation as general as 
possible, we keep the order of the k replacements variable. Let ct :/—>■/ be a 
bijective function that defines the order in which we replace the arguments of /. 
We interpret a{i) = j as the replacement of Xj with jj in the i-th step. 

Now we look for a recursive definition to derive the sequence gi,...,gk of 
functions that result from these replacements. We define the basis of the re- 
cursion as go '■= f with go : tJs{A) -^ M and dom(go) = Us{A). We set 
Qi := Tep{gi^i,Xa-(i) — >■ 7cr(i)) for i e /. In other words: We focus on the re- 
placement of a;cr(i) in step i e /, that means, we assume that we have just 
derived the functions 51, . . . ,gi-i- We then determine the set of region-regular 
points 

Xg^_^.„(i) ■■= {^ e 7r-^^(i)(dom(5i_i)) : ^ is region- regular} , 

that means, we check if the function 

9i il ■ 7i'CT(i)(dom(.gi_i)) -^ ]R>o, 

is region-suitable for a given ^. Thereafter, we define the domain of the succeeding 
function gi as 

9i ■ 7r<CT(i)(dom(g.,_i)) x 7r^(j) (P-box) x 7r>^(j)(dom(.gj_i)) -> M>o 

and use Xg^_,,„(j) to define ^^(^i, . . . ,Ca(z)-i,7<T(»),Co-(j)+i • ■ • ,6) 



inf inf 

(Cl) (C2) 



(41) 



(Cl) : x<^(i) e 7r^(i)(dom(5i_i)) 

(C2) : x<,(,)ei7..(,) (S<,(,))\i?.<,w (x<,(,)) 

for all £_ € n-i^(^i-j{doni{gi^i)) and all 7cr(i) G 7r^(i)(-r-box). We summarize the 
relation between the quantities during the i-th replacement in Figure 1171 (The 
striped quantities are introduced later.) 

The definitions above are chosen such that the function gi exists. After the 
A;-th step, the recursion ends with gk : -T-box — >■ R>o. We remark that, if we apply 
this mechanism to functions which are not admissible for controlled perturbation, 
the sequence of replacements will end-up with a function gk that fails the analysis 
from the next section. 

Example 10. We get back to the 2-dimensional in_box-predicate. For this exam- 
ple it is sufficient to assume that the box is fixed somehow and that the only 
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auxiliary constructions 



results 



Fig. 17. Illustration of the dependencies during the i-th replacement. The white- 
colored quantities are defined in Section 110.31 and the striped quantities in Sec- 
tion [1031 Here "A — >■ i?" means that B is derived from A. 



il X2 



il X2 



1st phase 



dom((;o) 



1st phase 



7i 



'' 72 C„., 



dom((;2) 



(a) 



dom(gi) 



(b) 



7i 



(c) 



Fig. 18. Illustration of the various domains and critical sets that result from the 
sequence of replacements for the 2-dimensional in_box-predicate. 



argument of the predicate is the query point q — (a;i,X2). This time we consider 
the various domains and critical sets of the functions gi that result from the 
sequence of replacements. (The order of the replacements is not important for 
this example.) The situation is illustrated in Figure \TS[ Picture (a) shows the 
domain (shaded region) of the function f = go itself. We know that the critical 
set is the boundary of the query box. 

After the replacement rep (170, 2; i — >■ 71), the first argument belongs to the 
set 7Ti{r-hox) resulting in an altered domain (see Picture (b)). We make two 
observations. Firstly, the critical set of gi is formed by two horizontal lines that 
are caused by the top and bottom part of the box Cgg . What is the reason for 
that? If we consider the absolute value of go while moving its argument along a 
horizontal line that passes through the top or bottom line segment of the box 
{x2 is fixed then), it leads to a mapping that is zero on an open interval; in 
this case the mapping cannot be region-suitable. Secondly, there are no further 
contributions to the critical set of gi. What is the reason? If we consider the 
absolute value of go along a horizontal line that passes through the interior of 
the box, it leads to a mapping which is region-suitable. 
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Picture (c) shows the situation after the second replacement Tep{gi, X2 — > 72)- 
The function (72 is positive on its entire domain P-box. The reason for this is 
that, if we consider the absohite value of gi along a vertical line (71 is fixed 
then), it leads to a mapping which is region-suitable. Q 

10.4 Derivation and Correctness of the Bounds 

Although we have replaced each Xi with 7^ in the argument list of / in a top-down 
manner, we are not able to determine the bounds Vf and (/?/ in the same way. 
To achieve this goal, we need to go through the collected information bottom-up 
again. The reason is that, at the time we arrive at a function, say ^i-i, we cannot 
check directly if gi-i is region- and value-suitable. Instead of this, we want that 
these properties are inherited from the successor gi to the predecessor. We will 
see that, once we arrive at g^, we can easily check if gk has the desired properties. 
This way we can possibly show that 50 j i-e. /, is also region- value-suitable. 

Therefore we divide the analysis in two phases. The first phase consists of 
the deduction of g^ via the sequence of replacements and is already presented 
in the last section. The second phase consists of the deduction of the bounding 
functions tpf and Xf and is the subject of this section. We begin with an auxiliary 
statement which claims that gk is non-decreasing in each argument under certain 
circumstances. 

Lemma 8. Let (/, fc, A, 5, Cmax, /^-box, t) he a predicate description where A is 
an axis-parallel box without holes and let I := {!,..., fc}. Let a : I —^ I be 
bijective, i.e., an order on the elements of I . Finally, let go '■— f and gj := 
rej){gj-i,Xcr{j) -^ Icrd)) for all 1 < j < k, i.e., Ohis the resulting function after 
the k replacements. If the function gk is positivP\ it is non- decreasing in 7^ on 
7rj(P-box) for all i E I . 

Proof. We refer to the explicit definition of gi in Formula (pij) that refiects the 
replacement of the i-th argument: For growing ^aU) "^^ shrink the domain for 
x„(^i) due to condition (C2). Formally, for 7', 7" G -K^i^i^lF-hoyi) with 7' < 7" the 
corresponding regions of uncertainty are related in the way 

Because the function value of gi is defined by the infimum absolute value, the 
function gi must be non-decreasing in its i-th argument ")a(i) for region-regular 
^ by construction. 

The same argumentation is true for each of the k replacements and is inde- 
pendent of the actual sequence of replacements. This finishes the proof. D 

The domain of the function g^ is naturally P-box. Even if r'-box has the same 
cardinality than R for k > 2, it is non-obvious how to define an invertible function 
Xg^. on r'-box. But such a bound is required to use the method of quantified 



That is why we have defined F-hox as an open set. 
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relations. For that purpose we restrict the domain in the analysis to .T-line: It is 
true that the elements of 7 e -T-line are now interlinked, but the important fact 
is that we can still choose them arbitrarily close to zero. 

To further prepare the analysis, we have to focus on a peculiarity of the 
auxiliary function <?,*^i ^ for a given i £ I. Remember that v ,a[i) and x *"(») 

are families of functions with parameter ^ e Xg._^ ^fi)- Therefore we are facing 
the following issue: For a given i g /, how can we deal with these two families 
of functions? The first solution that comes into mind is to replace each family 
with just one bounding function — so this is what we do. That means, we define 
the pointwise limits of these families as 

^g-w (7^(»)) - sup z/ ..(.) (7,(,)) 
and 

Xg-« {la{^) ■■= ^Jnf ^ Xg-W {la(^)) (42) 

for 7 G P-box and make use of these new bounds in the analysis. To illustrate 
this extra work in the analysis, we have added the two striped quantities in 
Figure [m 

Now we are ready to present the top-down approach to analyze real-valued 
functions. We claim and prove the results in the following theorem. 

Theorem 7 (top-down approach). Let (/, fc, A, (5, Cmax, ^-box, i) he a pred- 
icate description where A is an axis-parallel box without holes and let I := 
{1, . . . , k}. Let a : L —^ L he hijective, i.e., an order on the elements of L . Finally, 
let go := f and gj := rep((7j_i, Xo-Q) — > 7cr(j)) for all 1 < j < k. We define ipf 
and Xf o-s 

"Pfil) ■= 9k{l) 

k 

X/(7):=n V"</'(^-w)- 

3 = 1 ' 

If gk is positive on F-hox and Xf 'is invertible oro -T-line, then f is region- 
value-suitable with the bounding functionr'^] ipf and Xf ■ 

Proof. We prove the claim in three parts. First we show that there are certain 
bounding functions ipg^, and Xgk ^^ which gk is region- value-suitable. Afterwards 
we prove that, if the function gi has such bounding functions, then gi-i has also 
appropriate bounding functions. And in the end we deduce the claim of the 
theorem. 

Part 1 (basis). We assume that gk is positive on the open set F-hox, that 
means, we consider the function gk '. F-hox — ^ IR>o- At first we decompose the 

^^ Remember that ^T-line C F-hox. 

'^* Remember that we can use Uf instead of xf because of Formula (|17p . 
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F-safe „ 



- F-region^ 



Fig. 19. This is an exemplified 2-diniensional illustration of the decomposition 
of the I^-box into the sets /^-safe ^ and P- region for 7 e P-line. 



domain in two parts (see Figure [19)) . Let 7 S /^-line. We define the unique open 
axis-parallel box with opposite vertices 7 and^^l 7 as 

F-saiey := {7' e T-box : ji < 7- for all i £ I}. 

We denote its complement within the I^-box by 

P-region := P-box\ P-safe^. 

We think of F-region as the region of uncertainty and -T-safe^ as the region 
whose floating-point numbers are guaranteed to evaluate fp-safe. We claim that 
gk is region-value-suitable on F-hox in the following sense: We set the bounding 
functions to 



Vgk (7) 
Xsfc (7) 



.9fc(7) 

k 



ij) 



and claim that two statements are fulfilled for every 7 € P-line: 

1. The absolute value of 5^(7') is at least ^g^i'j) for all points 7' € /^-safe^. 

2. The volume of r-saie^ is Xgkil)- 

To prove the first statement, we consider the function value of gk along a path 
of k axis-parallel line segments from 7 to 7'. The path starts at 7 = (71, . . . , 7^), 
connects the (fc — 1) points (7J, . . . , 7J, 7^+1 . . . , 7^) with 1 < j' < fc in ascending 
order of j and ends at 7' = (7^, . . . ,7^). Along this path, the function value 
of gk is non-decreasing because of Lemma [S] For all i E I, the function gk is 
non-decreasing in its i-th argument 7^ € 7ri(_r-box) for fixed ^ £ Tr^i{r-hox) . 

The proof of the second statement is straight forward: Because the box is axis- 
parallel, its volume is the product of its edge-lengths. We make the observation 
that the function Xgt (7) is strictly monotonically increasing on r'-line and hence 
must be invertible on this domain. 



■^^ Remember that we have introduced 7 to define F-hoxj and .T-line^. More informa- 
tion and the formal bound is given in Remark [3l2 on Page 1271 
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We conclude the first part of the proof: For a given 7 e i^-hne, we have 
shown that the Junction value of gk is at least ipg^, (7) on an area of volume 
Xgk (7) ■ This way we have found evidence that gk is region- value-suitable in the 
meaning above. 

Part 2 (induction). We claim: For i ^ I and 7 G r'-line, the function value 
of gi-i is at least y^gi_i{'y) on an area of volume Xgi-iil) with 



'Pa.-ih) -^ Vg.il) (43) 

X -w (7a(«)) 
Xg.^^ (7) := Xg, il) ' ."^ ^ • (44) 



We prove the claim by mathematical induction for descending i e /. Basis (i = 
k). Due to the first part, we can base the proof on the bounding functions (ySg^ 
and Xgk- Induction step (i e /). We assume that the bounding functions are true 
for all j & I with i < j < k and prove the claim for i — 1. This is what we do 
next. 

Remember the definition gi :— rep((7.i_i , x„(^i) — > 7cr(i)) ■ In the step backwards 
from gi to gt-i, we observe the following difference in their two axis-parallel 
domains due to condition (C2) of Formula (HTI) : The counterpart to the situation 
in which the cr(z)-th argument of gi lies in tt^u^ (-T-safe^) is the situation in which 
the (T(i)-th argument of gi^i lies in 



U ,^li) {Xcr(i)) \ i? -<T(>) ixa(i)) (45) 



and belongs to the region-regular case. Furthermore, the volume of this area 
is guaranteed to be at least x '"W {laU)) due to Formula P^ . Because the 

axis-parallel domains of gi and gi-i do not differ in directions different to the 
(T(i)-th main axis, their volume (which is the product of edge lengths) solely 
differ in a factor. Therefore we can estimate the volume Xgi-i (7) &t the product 
Xgiil) where we replace the factor (7o-(i) — 7cr(i)) by x. •''(i)(7cr(i))j this validates 
Formula (l44t. 



Because of Lemma[71 the lower-bounding function ipg. is also a lower-bounding 
function on the volume of the area which is defined in Formula (j45p . This vali- 
dates Formula (l43l). 



Part 3 (conclusion). So far we have shown that for a given 7 € P-line, the 
function value of f = go is at least ff{'^) on an area of volume Xfil) because 



^5/(7) =<Pffo(7) = VgAl) = ■■■ = Vgkil) = 9kil) 
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and because 



X/(7) =Xso(7) 
= Xgi{l) 

= Xs2 (7) 



la(l) - 7<T(1) 

X<,-(2) (7<t(2)) Xg-(i) (7<t(i)) 



7<t(2) - 7<t(2) 7<t(1) - 7<t(1) 



^S'=('^) ■ 11 ^ TT^ 

i=l 7cr(j) 7rT(i) 



'V Xg-(.) (7<T(»)J 



=n(^.--7.)-n ^ _^ 

A.. ^ A ^.:-i" (^-(')) 

= 11 (7<xw - 7.w) • 11 ^ 






n v_"(*' (t-«)- 






If x/ is in addition invertible on the domain /^-line, / is region-value-suitable. 
This finishes the proof. D 

One prerequisite in the last theorem is that g^ is positive on the open .T-box. 
We make the observation that we cannot vahdate this property unless we have 
determined the entire sequence of replacements from / = go down to gk- That 
means, it is possible that the analysis fails at the end of the first phase. 

Furthermore, we make the observation that the bounding functions (pf and 
Xf are actually derived bottom-up in the the second phase of their derivation. 
That means, although we technically determine the sequence of functions gi in a 
top-down manner on the surface, the validity of the formulas is derived bottom- 
up afterwards. We summarize the steps of the top-down approach in Figure [501 



10.5 Examples 

Example 11. We use the top-down approach to determine the bounding func- 
tions (yOin.box and Xin.box for the predicate in_box. Again, we assume that the box 
is fixed somehow and that the only argument of the predicate is the query point. 
(There is no much infiuence on the analysis by the remaining parameters.) The 
predicate can be realized, for example, by the function 

f{x) := min {^^ - (x, - c,)^} 
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Fig. 20. Instructions for performing the top-down approach. The illustration 
reflects the steps in which the quantities are determined according to Theorem[7l 



where c G R'^ is the center of the axis-parallel box and its edge lengths are given 
by 2i. We eliminate the variables in ascending order from xi to Xk, that means, 
we set a{i) :— i for all 1 < i < fc. 

Part 1 (ipin.hox)- To determine (pin.box we need gk, to determine gk we need 
the entire sequence of replacements, and to determine gi we need to determine 
the value of the "inf inf" expression in dependence on 7^ in Formula (|4ip . This 
is what we do next. Because of the symmetry of /, the following discussion is 
valid for all coordinates Xi. 

To prepare the replacement of variables, we examine the function /*' for the 
region-regular case (see Figure [2T|) . The critical set Cfi contains two points, 
namely ct — £i and Ci + ii. By 7; we denote the minimal distance of Xi to a 
point in Cfi. (Again we assume that 7^ must be less than if, otherwise the 
interior of the box would be covered entirely by the region of uncertainty and 
the predicate would lose its meaning.) The absolute value of / grows in the 
distance to Cj.i. To determine a guaranteed lower bound on the absolute value 
of /, we assume that the distance of Xi to Cj.i is exactly 7^. In addition we 
make the observation that |/| grows slower towards the interior of the box than 
away from the box; therefore we must also assume that Xi lies between Ci — £i 
and Ci + £i to get a convincing bound. This leads to the worst-case consideration 
la^i — Ci| = \ci + ii — %\. We make use of the binomial theorem to derive the 
unequation 



i^,-ix,-c,y > ij-{c, + i,-^i)' 

--\2i^l^-l^\ 

.|(2£,-7.)7d- 



General Analysis Tool Box for Controlled Perturbation 



63 




Fig. 21. An illustration that supports the relation between the quantities of /* 
for the region-regular case of the predicate in_box. 



Next we define the functions gi as 

3,(71, . . . ,7,,Xi+i, . . . ,Xfc) := min {{^{2tj - jj)"fj : 1 < j < i} 

U {^2 _ (2;^. _ c/f : z < j < /c}) 

and in the end, the sequence of replacements leads to 

¥'in.box(7) -^ 9k{l) 
l<j<k 

Part 2 (xin.box)- Now we determine a bound on the volume of the complement 
of the region of uncertainty. For every z g /, a valid bounding function is given 

by 

This results in the following bound on the total volume: 

k 

Xin.box (7) = n ^aV-i ('>'*) 

1=1 
k 



n (2'5» - 47^) ■ 



Now that we have determined the bounding functions (/3in.box and Xin.box, it 
would be possible to finish the analysis with the method of quantified relations — 
but this is not our interest in this section. O 

Example 12. This is the continuation of Examples [TU] and 1111 Here we want to 
investigate the regions of uncertainty for the various functions gi. More pre- 
cisely, we are interested in the correlation between the regions which are defined 
bottom-up in the second phase of the approach. 
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Fig. 22. Illustration of the regions of uncertainty for the various domains in the 
analysis of the 2-diniensional in_box-predicate. 



Figure [22l visualizes the regions of uncertainty for the functions gi. The re- 
gions of uncertainty are light shaded whereas their complements are dark shaded. 
The decomposition is initiated by the choice of 7 £ r'-box. Since each compo- 
nent 7i is positive, neighborhoods of the critical set are added to the region of 
uncertainty on the way back up to go. 

As we have seen in Example 1101 the upper line segment of Cg^ causes the 
upper line of Cg^ . Conversely, we can now see that the upper line of Cg^ causes 
a region of uncertainty around the line which passes through the upper line 
segment of Cg^. Be aware that our top-down approach is designed such that 
this behavior is forced for all non-region-regular situations. This implies that 
our method does not need any kind of exceptional sets. In the contrary, there 
are no restrictions on the measure of the critical sets at all: The only thing that 
matters is the criterion if / is region-suitable or not. Q 



10.6 Further Remarks 

A different concept of the top-down approach is published in [46] . Although both 
presentations rest upon the same motivation, there are some technical differences 
in the realization. To avoid misunderstandings in the presentation and gain a 
deeper insight into our approach, we end this section with selected questions. 

Does f have to be (upper- or lower-) continuous to be top-down analyzable? 
No, we do not assume any kind of continuity in our approach. Points of discon- 
tinuity may be critical, but they do not have to be critical. 

May we assume that f is continuous? No, the top-down approach is defined 
recursively and the auxiliary functions gi are not continuous in general. Consider 
for example the continuous polynomial f{xi, X2) '■— a;^-|-a:| — 1 which is the planar 
"in unit circle" predicate. Then gi{xi,j2) is not continuous in four points for 
fixed 72 . The function is illustrated in Figure [231 That is the reason why the 
top-down approach must work for discontinuous functions. 

Does a critical set of measure zero imply that f is region- suitable? No, not 
in general. A notorious example is the density of Q in R. Let A C M be an 
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5(3^1,72) 




Fig. 23. Exemplified drawing of tlie "in unit circle" predicate after the first 
replacement. The function values on the interval [—1, 1] vary with 72. 



interval. Although A H Q is a set of measure zero, there is no e > such that 
the neighborhood Ue{A n Q) has a volume smaller than fJ.{A). But the latter 
is a necessary criterion for region-suitability and the applicability of controlled 
perturbation. 

Does region- suitability imply a finite critical set? No. A counter-example is 
the function x ■ sin (-) which is region-suitable although it has infinitely many 
zeros in any finite neighborhood of zero. (By the way, this function is also value- 
suitable.) We summarize: Critical sets of region- suitable functions are countable, 
but not every countable critical set implies region- suitability. 

Is it possible to neglect isolated points in the analysis? We may never ex- 
clude critical points from the analysis; they are always used to define the re- 
gion of uncertainty. We may exclude less-critical points provided that we adjust 
the success-probability "by hand" . We may neglect non-critical points provided 
that we still determine the correct inf- value-suitable bound (pintf- (See also Sec- 
tion IS]!) 

May we add additional points to the critical set? Yes, we may add points to 
the critical set provided that / is still guaranteed to be region-suitable. (See also 
Section [321) 

Can we decide if f is top-down analyzable without developing the sequence 
of replacements? It is a necessary condition for the top-down analyzability of / 
that gk is positive everywhere. It is not clear how we can guarantee this property 
in general without deriving gk- 



11 Determining the Lower Fp-safety Bound 



Here we introduce the design of guards and fp-safety bounds. Guards are nec- 
essary to implement guarded evaluations in Ag- In Section fll. II we explain how 
guards can be implemented for a wide class of functions including polynomials. 
To analyze the behavior of guards, we introduce fp-safety bounds in Section ril.2l 
We explain how we determine the fp-safety bound in the analysis (see Figure lM)) . 
Furthermore, we prove the fp-safety bounds which we have used in previous sec- 
tions. 
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Fig. 24. An error analysis is used to derive the bounding function for the safety- 
suitabihty in the first stage of the analysis. 



11.1 Implementing Guarded Evaluations 

Our presentation of guarded evaluations is based on rounding error analyses 
following the approach in 24 7 46 . A refinement is presented in the appendix 

of Eel. 



Rounding Error Analysis 

The implementation of guards is based on maximum error bounds. To determine 
the error bounds we use rounding error analyses. Note that the error bound of a 
function / depends on the formula E that realizes / and, especially, on the chosen 
sequence of evaluation. In TableUwe cite some rules to determine error bounds. 
Expressions E that are composed of addition, subtraction, multiplication and 
absolute value can be bounded by the value Be in the last row of the table. This 
includes the evaluation of polynomials; for further operators see |24I7I46) . The 
quantities ind^ and sup^ are derived according to the sequence of evaluation of 
E. The value ind^ is if a; G Fl, and it is 1 if a; is rounded. 

Example 13. We determine the error bound for the expression 

E(xi,. . . Xk)\¥ = (((a • xi) ■ X2)--- Xk)\¥ 

where fe G N, a e K is a coefficient and x G Us{x\g ^ ^_2emax^ 2*^"""']'^. A worst- 
case consideration leads to inda = 1 and sup^ = | a|F | for the coefficient and 
ind^i = and sup 2.. = | x^Jf | for 1 < i < fc. Then we obtain inda^i — 2 and 
= I axT\f I after the first multiplication. Taking all multiplications into 



SUPaxi 

account, we get ind^; = fc + 1 and sup^ 
we obtain the dynamic error hound 



aa:i • • • ccfelp I- According to Table |4] 

(fc + 1) • I axi • • • XfelF I • 2-^ 



Be{L,x) 
and the static error hound 

BE{L) = {k + l)-\c{v\-2 
where 2'^"'»>' is an upper bound on the absolute value of a perturbed input. Q 



<-L 
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E 


su-Pe 


inds 


X 


\x\r 


or 1 


Ei±E2 


(suPiSi +SUPbJ|f 


1 + max {indfij^ , ind^j } 


Ei-E2 


(supg^ -suPbJIf 


1 + indfij + indfij 


\E\ 


supg 


indfi 


Be ■- indis • sup^ ■ 2~^ 



Table 4. This table reprints parts of Table 2.1 in Funke [24l p. 11]. The row for 
\E\ is added by us. 



Remark 5. We make the important observation that the bound Be{L) approaches 
zero when L approaches infinity, that means, 

lim Be{L) = 0. 

Furthermore we observe that all error hounds which are derived from Table [7] 
have this property. O 



Guarded Evaluation 

In guarded algorithms Aq every predicate evaluation /(x)|f must be protected 
by a guard Qf{x) that verifies the sign of the result. Guards can be implemented 
using the dynamic (or the weaker static) error bounds. Let Bf(L, x) be an upper 
bound on the rounding error of /(a;)|F for floating point arithmetic F^, that 
means, 

Bj{L,x)>\f{x}^,-f{x)\. (46) 

Then we can immediately derive the implication 

\f{x}r\>Bf{L,x) => sign(/(x)|Fj = sign(/(x)). (47) 

We use the unequation on the left hand side to construct a guard Qf for f where 

gf{x):^{\f{x)\r\>Bf{L,x)). 

If Gfix) is true, f{x) has the correct sign. Note that this definition is in accor- 
dance with Definition [2] on Page [T] 
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11.2 Analyzing Guards With Fp-safety Bounds 

Now we explain how to analyze the behavior of guards according to |24|7|46] . 
Remember that we perform the analysis in real space. The implication 

\fix)\>2BfiL,x) ^ \fixh\>BfiL,x). (48) 



is true because of Formula (|46l) . The inequality on the left hand side is a relation 
that we can safely verify in real space. We can always use the static error bound 
to construct a fp-safety bound Sint f for f 

where Bf{L) is the static error bound. Note that this definition is in accordance 
with Definition [6] on Page [16] because the implications in Formulas (|47)) and (|48p 
guarantee the desired implication in Formula ([6]). Because of Remark\5l the fp- 
safety bound Sin{f{L) fulfills the safety- condition on page\2^ by construction. 
Next we derive a fp-safety bound for univariate polynomials. 

Corollary 3. Let f be a univariate polynomial 

f{x) =ad-x'^ + ad-i ■ x'^^^ + . . . + ai • X + ao (49) 

of degree d. Then 

SinffiL) :- (d + 2) • max \a,\ ■ 2«»-(''+i)+i--^ (50) 

l<i<d 

is a fp-safety bound for f on [_ 2'^"''=', 2*^"""'] where emax G N. 

Proof. We apply the error analysis of this section. We evaluate Formula (|49p 
from the right to the left. For a static error bound we get 

B/(L) :=ind/-sup^-2--^ = (d + 2) • ( max |a,| • 2'=-'"'(''+i) 

Finally we set the fp-safety bound to Sinff{L) :— 2Bf{L). D 

Multiplications usually cause larger rounding errors than additions. Surprisingly, 
the evaluation of univariate polynomials with the Horner schem^j (which mini- 
mize the number of multiplications) does not lead to a smaller error bound than 
the one we have derived in the proof. Next we derive an error bound for fc-variate 
polynomials. We define x' := Xi ■ . . . ■ x]^ for i G Ng and x G M'''. 

Corollary 4. Let f be the k-variate polynomial (k > 2) 



f{x) -^^a. 






^^ For Horner scheme see Hotz 1321. 
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where I C Nq is finite and a^ G M^q for all t G Z. Let d be the total degree of f 
and let Nt be the number of terms in f . Then 

SinifiL) ■.= {d+l+ \\ogNT^) ■ Nt ■ maxlaj • 2'— ''+'-'' (51) 

lex 

is a fp- safety bound for f on [— 2'^">='x, 2'^"""']*'' where emax G N. 

Proof. We begin with the determination of the error bound Bf . The maximum 
absolute value of the term a^x'' is obviously upper-bounded by the product of a 
bound on a^ and a bound on a:'. Because \xi\ < 2'^"'"' for all 1 < i < fc we have 

suPa,^. <max|a,|-2""-=='^. 
Since we know the number N^ of terms in /, we can then upper-bound sup t by 

supf < iVT ■ max I a, I • 2""^'^^'^. 

■' tGl 

In addition, we have inda^^^ — d+1 since we evaluate d multiplications and only 
Ot may not be in the set F. (Remember that, because of the perturbation, the 
values Xi belong to the grid G which is a subset of F.) 

To keep ind/ as small as possible, we sum up the Nt terms pairwise such that 
the tree of evaluation has depth [log NtI ■ This leads to ind/ = d+l+ [log Nt] ■ 
Therefore we conclude that 



Bf{L) = (d + 1 + [logiVTl ) • NVt ■ max |aj • 2'=-- 
As usual we set Sinff{L) := 2Bf{L). D 

12 The Treatment of Range Errors (All Components) 

In this section we address a floating-point issue that is caused by poles of ratio- 
nal functions. So far the implementation and analysis of functions is based on 
the fact that signs of floating-point evaluations are only non-reliable on certain 
environments of zero. Now we argue that signs of evaluations may also be non- 
reliable on environments of poles. We do this for the purpose to embed rational 
functions into our theory. In Section 112.11 we extend the previous implementa- 
tion considerations such that they can deal with range errors. In Section 0,2. 2 1 we 
expand the analysis to range errors of the floating-point arithmetic F. This is the 
first presentation that gains generality by the practical and theoretical treatment 
of range errors which, for example, are caused by poles of rational functions. 

12.1 Extending the Implementation 

We examine the simple rational function f{x) = -. It is well-known that the 
function value of / at the pole a; = does not exist in R (unless we introduce the 
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unsigned symbolic value ±00, see Forster |20j). We make the important observa- 
tion that we cannot determine the function value of / in a neighborhood of a pole 
with floating-point arithmetic ¥l^k because the absolute value of / may be too 
large. Moreover, we observe that the sign of f may change on a neighborhood 
of a pole. Both observations suggest that poles play a similar role like zeros in 
the context of controlled perturbation. Now we extend the implementation such 
that it gets able to deal with range errors. 

We extend the implementation of guarded evaluations in the following way: If 
the absolute value of / cannot be represented with the floating-point arithmetic 
'^L,K because it is too large, we abort Aq with the notification of a range error. 
We do not care about the source of the range error: It may be "division by zero" 
or "overflow." The implementation of the second guard per evaluation is straight 
forward. Some programming languages provide an exception handling that can 
be used for this objective. 

In addition we must change the implementation of the controlled perturba- 
tion algorithm ,4cp. If Aq fails because of a range error, we increase the bit 
length K of the exponent (instead of the precision L). Be aware that we talk 
about the exponent, that means, an additive augmentation of the bit length 
implies a multiplicative augmentation of the range. These simple changes guar- 
antee that the floating-point arithmetic F^^^ gets adjusted to the necessary 
dimensions in neighborhoods of poles or in regions where the function value is 
extremely large. 



12.2 Extending the Analysis of Functions 

For the purpose of dealing with range errors in the analysis, we need to adapt 
several parts of the analysis tool box. Below we present the necessary changes 
and extensions in the same order in which we have developed the theory. 



Criticality and the region-suitability 

The changes to deal with range errors affect the interface between the two stages 
of the analysis of functions. At first we extent the definition of criticality. We 
demand that certain points (e.g. poles of rational functions) are critical, too, and 
refine Definition [7] in the following way. 

Definition 20 (critical). Let (/, /c, A, (5, Cmax) be a predicate description. We 
call a point c (£ Us (x) critical if 

xeU^(c)\{c} xe(7e(c)\{c} 

on a neighborhood Us{c) for infinitesimal small e > 0. Furthermore, we call c 
less-critical if c is not critical, but f{c) = or c is a pole. Points that are neither 
critical nor less- critical are called non-critical. 
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For simplicity and as before, we define the critical set Cf^s to be the union of 
critical and less-critical points within Us{x). Be aware that the new definition 
of criticality may expand the region of uncertainty. As a consequence it affects 
the region- suitability and the bound z/j, respectively Xf- Note that Definition 1201 
guarantees that we exclude neighborhoods of poles from now on. Because we have 
integrated poles into the definition of criticality, we have implicitly adapted the 
region-suitability. 



The sup-value-suitability 

So far we have only considered inf |/| outside of the region of uncertainty. But to 
get a quantified description of range issues in the analysis, we need to consider 
sup I/I as well. What we have called value-suitability so far is now called, more 
precisely, inf- value- suitability. Its bounding function, that we have called ^f{'y) 
so far, is now called cpiai /{j). 

In addition to Definition [14] we introduce sup-value-suitability, that means, 
there is an upper-bounding function ipsup / (7) on the absolute value of / outside 
of the region of uncertainty Rf. We show how the new bound is determined 
with the bottom-up approach later on. Based on the new terminology, we call / 
(totally) value-suitable if / is both; inf-value-suitable and sup-value-suitable. 



The sup-safety-suitability and analyzability 

We also extend Definition [151 What we have called safety-suitability so far is 
now called, more precisely, inf-safety-suitability. Its bounding function Smi f{L) 
is now called the lower fp-safety bound. 

In addition we introduce sup-safety-suitability, that means, there is an in- 
vertible upper-bounding function Ssup f [K) on the absolute value of / with the 
following meaning: If we know that 

1/(^)1 < SsupfiK), 

then f{xjw is definitely a finite number in F^^x- We call Ssnpf{K) the upper 
fp-safety bound. Such a bound is trivially given bjQJ 

Ssupf{K) := 2 — Sin{f{L). 

Based on the new terminology, we call / (totally) safety- suitable if / is both: inf- 
safety-suitable and sup-safety-suitable. As a consequence, we call / analyzable 
if / is region-suitable, value-suitable (both subtypes) and safety-suitable (both 
subtypes). 



27 



Firstly, the largest floating-point number that is representable with ¥l,k is (2 — 
2~^)2^ . Secondly, we must take the maximal floating-point rounding error into 
account. 
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The method of quantified relations 



Next we extent the method of quantified relations such that the new bounds on 
the range of floating-point arithmetic are included into the analysis. In addition 
to the precision function Lf{p), we determine the bounding function 



Kfip) ■■= \s;,lf (^sup/ {t ■ v^^ (£. (p)))) 



That means, we deduce the maximum absolute value of / outside of the region 
of uncertainty from the probability; afterwards we use the upper fp-safety bound 
to deduce the necessary bit length of the exponent. The derivation of Kjijp) is 
absolutely analog to the derivation of isafo(p) in Steps 1-5 of the method of 
quantified relations. 

We summarize our results so far: If we have the bounding functions of the 
interface of the function analysis, we know that the floating-point arithmetic 
'^L](p),K}(p) is sufficient to safely evaluate / at a random grid point in the per- 
turbation area with probability p. 

Furthermore, we can derive a probability function pf if / is analyzable and 
</3inf/ and fsu-pf ai'e both invertible. Analog to the definition of pinf (i) in Re- 
mark |4l4, we derive the additional bound on the probability 



ftupW := e;^ (yf {\ ■ v;ulfiSsupf{K)) 



from Kf{p). This leads to the final probability function p/ : N x N — > (0, 1) where 

Pf{L,K) := min{pinf(£), Psup{K), Pg^iL)} 
for parameter i e (0, 1). 

The bottom-up approach 

Now we extend the calculation rules of the bottom- up approach to also derive the 
bounding function (fsupfil) from simpler sup- value-suitable functions. At first 
we replace the lower-bounding rule in Theorem[3]by the following sandwich-rule. 

Theorem 8 (sandwich). Let {f,k,A,S,e^s,x,r-\me,t) be a predicate descrip- 
tion. If there is a region-value- suitable function g : Us{A) — )> M and Ci, C2 G K>o 
where 

ci|.9(a:)|<|/(x)| < C2\g{x)\, 

then f is also region-value-suitable with the following bounding functions: 



Vf{l) 


= ^g{l) 


Vinifil) 


= Ci(pinfg(7) 


Vsupfh) 


= C2'~Psnpg{l)- 



If f is in addition safety-suitable, f is analyzable. 
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Proof. The region-suitability and inf- value-suitability follows from the proof of 
Theoreni|3l The sup- value-suitability is proven similar to Part 2 of the mentioned 
proof. D 

Next we extent the product rule in Theorem 21 We just add the assignment 

'^sup/(7) ■=fsupg{jU---,7e) ■'Psuph{l3 + U---,lk)- 

after Formula (jSlJ . Its proof follows Part 1 of the proof of Theorem 21 

At last we extent the min-rule and the max-rule in Theorem O We add the 
two assignments 

'PsupUiAl) ■= min{93supg(7i, • • ■ ,le),'Psuph{lj+i, ■ ■ ■,1k)} 

'PsupU^Al) '■= m-Axiipsupgill, ■ ■ ■,Je),'Psuph{'-t3 + l,- ■ • ,7fc)}- 

after Formula ([M]) . Again, its proof follows Part 1 of the proof of Theorem 21 

The top-dov^rn approach 

Similar to the functions (pinf g^ , which are simply called ipg- in the overview in 
Figure BOl we determine the functions (psupgi hi the second phase of the pseudo- 
top-down approach in a bottom-up fashion. 

This completes the integration of the range considerations into the analysis 
tool box. Be aware that all changes presented in this section do not restrict 
the applicability of the analysis tool box in any way. On the contrary, they are 
necessary for the correctness and generality of the tool box. 

13 The Analysis of Rational Functions 

We have just solved the arithmetical issues that occur in the implementation 
and analysis of rational functions. Besides we must solve technical issues in the 
implementation of guards and, moreover, provide a general technique to derive 
a quantitative analysis for rational functions. This is the first presentation that 
contains the implementation and analysis of rational functions. 

Let / := -I be a rational function, that means, let g and h be multivariate 
polynomials. Let k be the number of arguments of /, i.e., we consider f{x) where 
X = {xi, . . . ,Xk). The arguments of g and h may be any subsequence of x, but 
each Xi is at least an argument of g or an argument of h. We know that g and 
h are analyzable (see Section 193]) . 

At first we discuss the implementation of guards for rational functions. We 
make the important observation that — independent of the evaluation sequences 
of g and h — the division of the value of g by the value of h is the very last 
operation in the evaluation of /. Because of the standardization of floating-point 
arithmetic (e.g., see [33]), the sign of / is computed correctly if the signs of g 
and h are computed correctly. Therefore it is sufficient for an implementation of 
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a predicate that branches on the sign of a rational function / to use the guard 
Gf ■■= [Gg A Gh). 

But how do we analyze this predicate, that means, how can we relate the 
known quantities? Let x be given. In the case that the (dependent) arguments 
of g and h lie outside of their region of uncertainty, we can deduce the relation 



s.. 



< fix) < -^. (52) 

sup h t^inf h 

Unfortunately this is not what we need. This way, we can only deduce the value 
of / from the values of g and h, but not vice versa: If f{x) fulfills Formula ([5^ . 
we cannot deduce that the guards Gg and Gh are true. For example, assume that 
f{x) = 1; then we know that the values of g and h are equal, but we do not 
know if their values are fp-safe or close to zero. 

Therefore we choose a different way to analyze the behavior of guard Gf- 
Since g and h are multivariate polynomials, we can analyze the behavior of Gg 
and Gh and derive the precision functions Lg{p) and Lh{p) as we have seen in 
earlier sections. If we demand that g and h evaluate successfully with probability 
— j2 each, / evaluates successfully with probability p since the sum of the failure 
probability of g and h is at most (1 — p). This leads to the precision function 

Lf{p) := max jig f ^^1 -'^h \-^]\ 

which reflects the behavior of Gf and therefore analyzes the behavior of an 
implementation of the rational function evaluation of /. 

14 General Analysis of Algorithms (Composition) 

So far we have only presented components of the tool box which are used to 
analyze functions. Now we introduce the components which are used to ana- 
lyze controUed-perturbation algorithms Acp . Figure [51] illustrates the analysis 
of algorithms. Similar to the analysis of functions, the algorithm analysis has 
two stages. The interface between the stages is introduced in Section [14.11 It 
consists of necessary algorithm properties (to the left of the dashed line) and the 
analyzability of the used predicates (to the right of the dashed line). There we 
also show how to determine the bounds associated with the algorithm properties. 
In Section [14.21 we give an overview of algorithm properties. The method of dis- 
tributed probability represents the actual analysis of algorithms and is presented 
in Section [1131 

14.1 Necessary Conditions for the Analysis of Algorithms 

Next we introduce several properties of controlled-perturbation algorithms. Some- 
times we use the same names for algorithm and function properties to emphasize 
the analog. We describe to which algorithms we can apply controlled perturba- 
tion, for which we can verify that they terminate, and which we can analyze 
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Fig. 25. Illustration of the analysis of controlled-pcrturbation algorithms. 



in a quantitative way because they are suitable for the analysis. In particular, 
three properties are necessary for the analyzability of algorithms: evaluation-, 
predicate- and perturbation-suitability. However, the three conditions are not 
sufficient for the analysis of algorithms since there are also prerequisites on the 
used predicates. In this section we define the various properties of controlled- 
perturbation algorithms, explain how we obtain the bounding functions that are 
associated with the necessary conditions, and show how the algorithm properties 
are related with each other. 

Definition 21. Let Aqp be a controlled perturbation algorithm. 

— (applicable). We call Aqp applicable if there is a precision function Lj^^p : 
(0, 1) X N — > N and r] G N with the property: At least one from rj runs of the 
embedded guarded algorithm Aq is expected to terminate successfully for a 
randomly perturbed input of size n G N with probability at least p G (0; 1) /o'' 
every precision L G N with L > Lj[^p{p,n). 

— (verifiable). We call Aqp verifiable if the following conditions are fulfilled: 

1. All used predicates are verifiable. 

2. The perturbation area Uj{cp_s{y) contains an open neighborhood ofy. 

3. The total number of predicate evaluations is bounded. 

4. The number of predicate types is bounded. 

— (evaluation-suitable) . We call Acp evaluation-suitable if the total number 
of predicate evaluations is upper-bounded by a function N-e : N — > N in 
dependence on the input .size n. 

— (predicate- suitable) . We call Acp predicate-suitable if the number of differ- 
ent predicates is upper-bounded by a function N-p : N — > N m dependence on 
the input size n. 

— (perturbation-suitable). LetU_A.cp,siy) be the perturbation area ofAcp around 
y; we assume that UAcp,siy) is scalable with parameter S and that it has a 
fixed .shape, e.g., cube, box, sphere, ellipsoid, etc. We call Acp perturbation- 
suitable if there is a bounding function V : R^g ~^ '^>o with the property 
that there is an open axis-parallel box UAcp.s{y) with volume at least V{S) 
and UAcp,s{y) C UAcp,s{y)- 
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— (analyzahle). We call Acp analyzable if the following conditions are fulfilled: 

1. All used predicates are analyzahle. 

2. Acv is evaluation- suitable, predicate- suitable and perturbation- suitable. 

Remark 6. We add some remarks on the definitions above. 

1. The applicability of an algorithm has a strong meaning: For every arbitrar- 
ily large success probability p G (0, 1) and for every arbitrarily large input size 
n € N there is still a finite precision that fulfills the requirements. As a matter of 
fact, a controlled perturbation algorithm reaches this precision after finite many 
steps. Because in addition the success probability is monotonically growing dur- 
ing the execution of Ac¥^ we conclude: If the algorithm Acv is applicable, its 
execution is guaranteed to terminate. 

2. In the definition of applicability, we define the precision function i^^p (-P' "■) 
as a function in the desired success probability p and the input size n. Naturally, 
the bound also depends on other quantities like the perturbation parameter 5, 
an upper bound on the absolute input values or the maximum rounding-error. 
However, the latter quantities have some infiuence in the determination of the 
bounding functions in the analysis of functions. Here they occur as parameters 
in formula i^^p ^^^ are not mentioned as arguments. 

3. We remark on the perturbation-suitability that we allow any shape of the 
perturbation area hlj\^^p^s in practice which fulfills the condition in the definition. 
As opposed to that we have assumed that the perturbation area Uf^s in the 
analysis of functions is an axis-parallel box. This looks contradictorily and needs 
further explanation. 

As a matter of fact, there is just one perturbation y G lAj^i^-p^s{y)\G^ ^ of the 
input before we try to evaluate the whole sequence of predicates. We assume 
that the random perturbation is chosen from a discrete uniform distribution 
in a subset of the n-dimensional space. Opposed to that, function fi has just 
ki <^ n arguments x = (xi, . . . ,Xfe;). Mathematically speaking, we determine 
the input x of fi by an orthogonal projection of y onto a fci-dimensional plane. 
Now we make the following important observation: // we examine the orthogonal 
projection onto a ki- dimensional plane, the projected points do not occur with 
the same probability in general. We refer to Figure [26] and Figure 1271 Despite 
of this observation, we prove in Section 114.31 that there is an implementation 
of ^cp that we can analyze — presumed that we know the bounding function V 
that is mentioned in the definition above. 

4. We remark on the predicate-suitability that the number A'p G N of differ- 
ent predicates is usually fixed for a geometric algorithm. Anyway, since we will 
see that the analysis can also be performed for a function Np{n) we keep the 
presentation as general as possible. O 

Next we explain how we determine the three bounding functions which are as- 
sociated with the three necessary algorithm properties. We refer to Figure [25l 
If the number Np of used predicates is fixed, we just count them; otherwise we 
perform a complexity analysis to determine the bounding function Np{n). We 
usually determine the bounding function N-E{n) on the number of predicate eval- 
uations with a complexity analysis, too. The bound rj results from a geometric 



General Analysis Tool Box for Controlled Perturbation 



77 



ii.'r2 



iipGi'i) 



71"! 



.Tl 



.Tl 



,Tl 



(a) 



(b) 



(c) 



Fig. 26. (a) The original perturbation areaZ^^cp,(5 is an axis-parallel box. (b) Its 
projection is uniformly distributed, (c) The points in the projection are chosen 
with the same probability. 
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Fig. 27. (a) The original perturbation area W^cp,<5 is a sphere, (b) Its projection 
is uniformly distributed, (c) The points in the projection are not chosen with 
the same probability. 



consideration: We only need to determine the real volume of the solid pertur- 
bation area. If the perturbation area has an ordinary shape, its computation is 
straight forward. We consider an example of this. 

Example 14- Let the input of ^cp be m points in the plain, that means, n — 2m. 
In addition let the perturbation area for each point be a disc of radius 6. Then 
the axis-parallel square of maximum volume inside of such a disc has edge length 
SV2. We obtain: 

fj,{m discs of radius 6) 

^{m cubes of edge length 5^/2) 

m ■ 7r(5^ 
m-2J2 
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We observe that the bound 77 does not depend on m (or n). Q 

Now we state and prove the imphcations of algorithm properties. 

Lemma 9. Let algorithm Ac¥ be analyzable. Then Aqp is verifiable. 

Proof. This is trivially true. D 

Lemma 10. Let algorithm Acp be verifiable. Then Acf is applicable. 

Proof. To show that ^cp is applicable, we prove the following existence. There 
is rj £ N such that for every p € (0, 1) and every n € N there is a precision £p.„ 
with the property: For a randomly perturbed input of size n, at least one from 
rj runs of Aq is expected to terminate successfully with probability at least p for 
every precision L G N with L > Cp^n- Then the function i_4^p(p, n) := Cp^n has 
the desired property which proves the claim. 

At first we show that there is an appropriate 77 G N. Because ^cp is verifiable, 
the perturbation area W^^p. 5(2/) contains an open set around y. Therefore there 
is an open axis-parallel box around y with Us{y) C Uj,^p^s{y). Then there is also 
a natural number 



r] :-- 






That means, if we randomly choose 77 points from a uniformly distributed grid 
in Uj\,(^p^s{y)\GL K ^ '^6 may expect that at least one point lies also inside of Us{y). 
Let p G (0, 1) and let ?i G N. In addition let y G Us{yjGL.K be randomly cho- 
sen. Since Acp is verifiable, there is an upper-bound A^e G N on the total number 
of predicate evaluations. Therefore we can distribute the total failure probability 
(1 — p) among the Ne predicate evaluations. Hence there is a probability 

1-p 
n := . 

iVE 

Obviously Ao{y) is successful with probability p if every predicate evaluation 
fails with probability at most g. 

Let Np G N be the number of different predicates in Aq which are decided by 
the functions /i , . . . , /jVp . Because Acv is verifiable, all used predicates are ver- 
ifiable and thus applicable. Then Definition 1101 implies the existence of precision 
functions Lf^ , . . . , Lf^ . Therefore there is a precision 

Cp^n := max Lf.{l- g) 

l<i<Np 

which has the desired property because of Definition 1101 This finishes the proof. 

D 

As a consequence of Lemma [5] and Lemma [TU] the controlled perturbation im- 
plementation Acp terminates with certainty and yields the correct result for the 
perturbed input if Acp is analyzable. 
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14.2 Overview: Algorithm Properties 

An overview of the defined algorithm properties is shown in Figure 1281 The 
meanings are: A controlled perturbation algorithm Acp is guaranteed to termi- 
nate if Acp is applicable (see Remark [Sjl). If Acp is verifiable, we can prove 
that ^cp terminates — even if we are not able to analyze its performance. And 
finally, we can give a quantitative analysis of the performance of Acp if Acp is 
analyzable. 

The implications are: An evaluation-, perturbation- and predicate suitable 
algorithm that uses solely analyzable predicates is analyzable (see Definition |9]) . 
An analyzable algorithm is also verifiable (see Lemma ^ . And a verifiable algo- 
rithm is also applicable (see Lemma [T0|) . 




lUuHtratioii: Algorithin Properties 



In the Analysis In the Analysis 

(quantitative) (not quantitative) 



applicable 



In Practice 



Fig. 28. The illustration summarizes the implications of the various algorithm 
properties that we have defined in this section. 



14.3 The Method of Distributed ProbabiUty 

Here we state the main theorem of this section. The proof contains the method of 
distributed probability which is used to analyze complete algorithms. Figure [25] 
shows the component and its interface. 

Theorem 9 (distributed probability). Let Acp be analyzable. Then there is 
a general method to determine a precision function i^^p : (0, 1) x N — ?> N and 
K_A.cp '■ (0, 1) X N — > N and 77 S N with the property: At least one from rj runs 
of the embedded guarded algorithm Aq is expected to terminate successfully for 
a randomly perturbed input of size n with probability at least p € (0, 1) for every 
arithmetic ¥l^k where L > Lj\^^-p(j),n) and K > Kj^^-p{p,n). 

Proof. We prove the claim in three steps: At first we derive 77 € N from the 
shape of the region of uncertainty. Then we determine a bound on the failure 
probability of each predicate evaluation. And finally we analyze each predicate 
type to determine the worst-case precision. An overview of the steps is given in 
Table El 
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Step 1 (define 77). We define rj as the ratio 

„_r vjs) ' 

Tliat means, if we randomly clioose rj points from a uniformly distributed grid in 
^Acp-siy)\GL,KJ we may expect that at least one point lies also inside oiUAcp.siv)- 
Step 2 (define p). Let p G (0, 1) be the desired success probability of the 
guarded algorithm ^g- Then (1 — p) is the failure probability of ^g- There are 
at most NE{n) predicate evaluations for an input of size n. That means, the 
guarded algorithm succeeds if and only if we evaluate all predicates successfully 
in a row for the same perturbed input. We observe that the evaluations do 
not have to be independent. Therefore we define the failure probability of each 
predicate evaluation as the function 

1-P 



g{p,n) := 



NEin) 



in dependence on p and n. 

Step 3 (define L^cp ^^'^ ^Acr)- There are at most Np{n) different predi- 
cates. Let /i, . . . , fNp(n) be the functions that realize these predicates. Since all 
functions are analyzable, we determine their precision function Lf. with the pre- 
sented methods of our analysis tool box. Then we define the precision function 
for the algorithm as 

LAcpiPiTT-) -.^ ma.x Lf.{l-g{p,n)) 

l<i<Np{n) 



max Lf. I 1 



i<i<Np{n) ■'' \' N^in) 

1-p 



Analogically we define 

KA„T,(Pin) ~ max Kr. 1 
'^°^^'^' ' i<j<Wp(«) ^' \ NE{n) 

Then every arithmetic F^jf with L > Lj[^p{p,n) and K > Kacp{Pt^) has the 
desired property by construction. D 

15 General Controlled Perturbation Implementations 

We present a general way to implement controlled perturbation algorithms ^cp 
to which we can apply our analysis tool box. The algorithm template is illustrated 



Step 1: determine "in axis-parallel box" probability (define if) 
Step 2: determine "per evaluation" probability (define p) 
Step 3: compose precision function (define Laq-p and Kj,^ 



•^cv I 



Table 5. Instructions for performing the method of distributed probability. 
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as Algorithm [21 It is important to see that all statements which are necessary 
for the controlled perturbation management are simply wrapped around the 
function call of ^g ■ 



Algorithm 2 : AcpiAG,y,l^s,ip,v) 

/* imtialtzation */ 

L <— precision of built-in floating-point arithmetic 

K <— exponent bit length of built-in floating-point arithmetic 

Cmax <— determine upper bound 2'^"""' on \yi\ +5 

repeat 

/* run guarded algorithm */ 
for j = 1 to 77 do 

y -It- random point in Us{y)\iG,^ j^ ^^^^ 

a; ^ AG{y,^L,K) 

if ^G succeeded then 
leave the for-loop 

end if 
end for 

/* adjust parameters */ 
if ^G failed then 

if floating point overflow error occurred then 
/* guard failed because of range error */ 
K <^ K + 'tpK 
else 

/* guard failed because of insufficient precision */ 

end if 
end if 
until ^G succeeded 

/* return perturbed input y and result u */ 
return {y,(jj) 



Remember that the original perturbation area is l^s{y)\G- The implementa- 
tion of a uniform perturbation seems to be a non-obvious task for most shapes. 
Therefore we propose axis-parallel perturbation areas in applications. (For ex- 
ample, we can replace spherical perturbation areas with cubes that are contained 
in them.) For axis-parallel areas there is the special bonus that the perturbation 
is composed of random integral numbers as we have explained in Remark [TJ 

An argument of the controlled perturbation implementation is the tuple ip = 
{'4'l,'4'k) € M X N of constants which are used for the augmentation of L and K. 
The real constant ipL > 1 is used for a multiplicative augmentation of L, and 
the natural number tpx is used for an additive augmentation of K. 

We remark that there is a variant of Algorithm [2] that also allows the increase 
of perturbation parameter 6. Beginning with S — (5,„in G ^>o: we augment the 
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perturbation parameter 6 by a real factor ips > 1 each time we repeat the for- 
loop. When we leave the for- loop, we reset 5 to S^i^- We observe that this strategy 
implies an upper-bound on the perturbation parameter by 5max '■= (^min • tps~ ■ 
This is the bound that we use in the analysis. To keep the presentation clear, 
we do not express variable perturbation parameters explicitly in the code. 

A variable precision floating-point arithmetic is necessary for an implemen- 
tation of Acp ■ When we increase the precision in order to evaluate complex ex- 
pressions successfully, the evaluation of simple expressions start suffering from 
the wasteful bits. Therefore we suggest floating-point filters as they are used in 
interval arithmetic. That means, we use a multi-precision arithmetic that refines 
the precision on demand up to the given L. If it is necessary to exceed L, Ac 
fails. In the analysis we use this threshold on the precision. 



16 Perturbation Policy 

The meaning of perturbation is introduced in Section 13.11 and its implementa- 
tion is explained in Remark [1] on Page [121 So far we have considered the original 
input to be the point y G R" which is the concatenation of all coordinates of all 
input points for the geometric algorithm ^cp- In contrast to that, we now care 
for the geometric interpretation of the input and consider it as a sequence of 
geometric objects Oi, . . . , Om- Then a perturbation of the input is the sequence 
of perturbed objects. In this section we define two different perturbation policies: 
The pointwise perturbation in Section 116.11 and the object-preserving perturba- 
tion in Section 116.21 The latter has the property that the topology of the input 
object is preserved. This is the first presentation that integrates object-preserving 
perturbations in the controlled-perturbation theory. 



16.1 Pointwise Perturbation 

For pointwise perturbations we assume that the geometric object is given by a 
sequence of points. A circle in the plain, for example, is given by three points. 
Another example is the polygon in Figure I29f a) which is represented by the 
sequence of four vertices abed. The pointwise perturbation of a geometric object 
is the sequence of individually perturbed points of its description, i.e., randomly 
chosen points of their neighborhoods. Figure I^W b) shows a pointwise perturbed 
polygon a'b'c'd' for our example. Because the perturbations are independent of 
each other, this policy is quite easy to implement. But we observe that point- 
wise perturbations do not preserve the structure of the input object in general: 
The original polygon abed is simple whereas the perturbed polygon a'b'c'd' in 
our example is not. And the orientation of a circle that is defined by three per- 
turbed points may differ from the orientation of the circle that is defined by the 
original points. Be aware that our analysis is particularly designed for pointwise 
perturbations. We suggest to apply this perturbation policy to inputs that are 
disturbed by nature, e.g., scanned data. 



General Analysis Tool Box for Controlled Perturbation 83 





(a) 



(b) 



Fig. 29. Example of a pointwise perturbation in the plane: (a) original input and 
(b) perturbed input. 



16.2 Object-preserving Perturbation 

For object-preserving perturbations we assume that the geometric object is given 
by an anchor point and a sequence of fixed measurements o A circle in the plain, 
for example, is given by a center (anchor point) and a radius (fixed measure- 
ment). Another example is the polygon abed in Figure [301( a) which is given by an 
anchor point, say o, and implicitly by the sequence of vectors (the measurements) 
pointing from a to 6, from a to c, and from a to d. The object-preserving pertur- 




(a) 




Fig. 30. Example of an object-preserving perturbation in the plane: (a) original 
input and (b) perturbed input. 



bation of a geometric object is a pointwise perturbation of its anchor point while 
maintaining all given measurements. Figure IHHT b) shows polygon a'b'c'd' that 
results from an object-preserving perturbation. There we have b' :— a' -\- b — a, 
etc. We observe that this perturbation is actually a translation of the object and 
hence preserves the structure of the input object in any respect: its orientation, 



The measurements may be given explicitly or implicitly. Both is fine. 



84 Ralf Osbild 

measurements and angles. The object-preserving perturbation of a circle, for 
example, changes its location but not its radius. 

The input must provide further information to support object-preserving 
perturbations. For the explicit representation, this policy requires a labeling of 
input values as anchor points (perturbable) or measurements (constant). For 
the implicit representation, the policy requires the subdivision of the input into 
single objects; then we make one of these points the anchor point and derive the 
measurements for the remaining points. To allow the object-preserving pertur- 
bation, the implementation must offer the labeling of values or the distinction 
of input objects. 

In this context it is pleasant to observe that our perturbation area Us{AJiq 
supports object-preservation because it is composed of a regular grid. // the 
original object is represented without rounding error, the perturbed object is rep- 
resented exactly as well. Of course, we can always apply object-preserving per- 
turbations to finite-precision input objectso We suggest to apply this policy to 
inputs that result from computer-aided design (CAD): By design, the measure- 
ments are often multiples of a certain unit which can be used as an upper bound 
on the grid unit. 

How can we analyze object-preserving perturbations? We consider the anal- 
ysis of function / that realizes a predicate. For pointwise perturbations we de- 
mand in Section [3. II that / only depends on input values. For object-preserving 
perturbations we only allow dependencies on anchor points: Every other point 
in the description of the object must be replaced in the formula by an expres- 
sion that depends on the anchor point of the affected object. Be aware that 
these expressions can be resolved error-free due to the fixed-point grid G. Then 
the new formula, depends only on anchor points (variables) and measurements 
(constants). The dependency of the function on the variables is analyzed as be- 
fore. Finally we remark that we do not recommend perturbation policies that 
are based on scaling, stretching, sheering or rotation since the perturbed input 
cannot be represented error-free in general. 



^^ This is true because we can derive a sufficient grid unit from the given fixed-precision 
input. 
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17 Appendix: List of Identifiers 

Page numbers refer to definitions of the identifiers. References to preliminary 
definitions are parenthesized. 



Algorithms Page 

A the given geometric algorithm A{y). 

Ac the guarded version AG{y,^h,K) of algorithm A, i.e., all [7] 

predicate evaluations are guarded. 

Acp the controlled perturbation version y^cp(-4G, y, ^, ^) of HI] 

algorithm A. The implementation of A(jp makes usage 
of Re- 
sets and Number Systems Page 
C the set of complex numbers. 

Fi^/f 1. the set of floating point numbers with radix 2 whose [S] 

precision has up to L digits and whose exponent has up 
to K digits. 
2. the floating point arithmetic that is induced this way. 

Gi,,i<-,e„ax the set of grid points. They are a certain subset of [12] 

the floating point numbers F^ k within the interval 

[_2'^.-x,2-— ]. 

N; No the set of natural numbers; set of natural numbers in- 

cluding zero. 

Q the set of rational numbers. 

K; M>o; the set of real numbers; set of positive real numbers; set 

Rj^o of real numbers excluding zero. 

Z the set of integer numbers. 

X|fj^ f, the restriction of a set X to points in F^^^. [6] 

X|gj, k emax ^hc rcstrictiou of a set X to points in '&h,K,e^-,.^^- US 

Identifiers of the Analysis Page 

A the set of valid projected arguments x for /. [9] 

Be{L) a floating point error bound on the arithmetic expression |67] 

E. 

C/ ( • ) the critical set of / . (fT7| .[7T] 
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Qf a guard for / on the domain X. [7] 

K the bit length of the exponent (see ¥l^k)- \E\ 

Kf{p) a lower bound on the bit length of the exponent. [72] 

L the bit length of the precision (see Wl^k)- IS] 

Lacf (P' "■) ^^"^ precision function of Acp ■ E51 

Lf{p) the precision function of /. |33] 

Lgiid a bound on the precision; caused by the grid unit condi- (|25|) , [33l 

tion. 

Lgafe a bound on the precision; caused by the region- and [33l 
safety-condition. 

N-E,{n) an upper-bound on the number of predicate evaluations. [75] 

Np{n) an upper-bound on the number of different predicates. [75] 

Rf,j{-) the region of uncertainty of /. [18] 

-R/,aug(7)(') the augmented region of uncertainty of /. [18] 

Sinf f [L) the lower fp-safety bound. [HI ([7T|l 

5'sup/(^) the upper fp-safety bound. [7T] 

Uf^s{-) the perturbation area of /; its shape is an axis-parallel [9] 
box. 

Uacp-s{) the perturbation area of ^cp! its shape is an axis-parallel [751 
box. 

^Acp,s{') the perturbation area of Acv] it may have any shape. [75] 

Cmax the input value parameter (see Formula ([1])). [5] 

/ the real- valued function / : Us{A) -^ M under consider- [9] 
ation. We assume that the sign of / decides a geometric 
predicate. 

k the arity of /. [9] 

n the size of input y. [8] 

Pf{L,K) the probability function of /. (|35|) .[72l 

Pgrid(-^) a bound on the probability; caused by the grid unit con- 1351 
dition. 

PiniiL) a bound on the probability; caused by the region- and [35l 
inf-safety-condition. 

Psup{K) a bound on the probability; caused by the sup-safety- [72] 
condition. 
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pr(/|G) the least probability that a guarded evaluation of / is [T2l 

successful for inputs in G under the arithmetic F. 



J the augmentation factor for the region of uncertainty. [24] 

X the arguments of /; projection of y. [3] 

X the perturbed arguments of /; projection of y. [5] 

y the original input to the algorithm. [5] 

y the perturbed input y e Us{y). M 

6 the perturbation parameter which bounds the maximum [9] 
amount of perturbation componentwise. 

7 the tuple of componentwise distances to the critical set. [18] 

r the set of valid augmented 7. [TH] 

i^-box like F; the set is an axis parallel box. [IS] 

T^-line like F; the set is a line. [TH] 

Vf{'y) an upper-bound on the volume of Rf,-y [23 

T the grid unit. [T^] 

<Pinf 7(7) a lower-bound on the absolute value of / outside of i?/,^. [Ml (|7T|) 

¥'sup/(7) an upper-bound on the absolute value of / outside of 1711 

-R/,7- 

Xf{^) a lower-bound on the complement of Vf within the per- [27] 
turbation area. 

ip the tuple V" = (V'L, V'k) e K X N is used for the augmen- [81] 
tation of L and K. 

Miscellaneous Page 

/x(-) the Lebesgue measure. [10] 

7r(-) the projection of points and sets, e.g., tt^, 7r<i, 7r>i, n^i. \ST\ 

-< the reverse lexicographic order. [JS] 

^o- the reverse lexicographic order after the permutation of [45] 
the operands. 
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